Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for NSD by NLnet Labs

    CVE-2026-12490 (GCVE-0-2026-12490)

    Vulnerability from nvd – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:41
    VLAI
    Title
    Bypass of client certificate verification with transfer over TLS
    Summary
    When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    NLnet Labs NSD Affected: 4.10.1 , < 4.14.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-25 00:00
    Credits
    Qifan Zhang from Palo Alto Networks
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12490",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T12:40:01.913311Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T12:41:18.144Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "NSD",
              "vendor": "NLnet Labs",
              "versions": [
                {
                  "lessThan": "4.14.3",
                  "status": "affected",
                  "version": "4.10.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qifan Zhang from Palo Alto Networks"
            }
          ],
          "datePublic": "2026-06-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Transfer security restrictions for client certificates can be bypassed completely if the attacker can match the other access control conditions, and the tls-auth-xfr-only option is not explicitly set to yes (which it by default is not)"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T05:24:41.814Z",
            "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
            "shortName": "NLnet Labs"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "This issue is fixed starting with version 4.14.3."
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-15T00:00:00.000Z",
              "value": "Issue reported by Qifan Zhang"
            },
            {
              "lang": "en",
              "time": "2026-06-16T00:00:00.000Z",
              "value": "NLnet Labs shares patch"
            },
            {
              "lang": "en",
              "time": "2026-06-17T00:00:00.000Z",
              "value": "Qifan Zhang verifies patch"
            },
            {
              "lang": "en",
              "time": "2026-06-25T00:00:00.000Z",
              "value": "Fix released with version 4.14.3"
            }
          ],
          "title": "Bypass of client certificate verification with transfer over TLS",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "assignerShortName": "NLnet Labs",
        "cveId": "CVE-2026-12490",
        "datePublished": "2026-06-25T05:24:41.814Z",
        "dateReserved": "2026-06-17T06:44:23.686Z",
        "dateUpdated": "2026-06-25T12:41:18.144Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12246 (GCVE-0-2026-12246)

    Vulnerability from nvd – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:42
    VLAI
    Title
    Out of bounds stack write with crafted APL RR
    Summary
    NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-120 - Buffer Copy without Checking Size of Input
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    NLnet Labs NSD Affected: 4.14.0 , < 4.14.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-25 00:00
    Credits
    Qifan Zhang from Palo Alto Networks Haruki Oyama from Waseda University zhangph
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12246",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T12:41:56.092027Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T12:42:05.428Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "NSD",
              "vendor": "NLnet Labs",
              "versions": [
                {
                  "lessThan": "4.14.3",
                  "status": "affected",
                  "version": "4.14.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qifan Zhang from Palo Alto Networks"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Haruki Oyama from Waseda University"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "zhangph"
            }
          ],
          "datePublic": "2026-06-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Processing of a zone containing a crafted APL can crash NSD when writing the zone to disk. These zones can be provided by a trusted primary"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-120",
                  "description": "CWE-120: Buffer Copy without Checking Size of Input",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T05:24:29.512Z",
            "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
            "shortName": "NLnet Labs"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12246.txt"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "This issue is fixed starting with version 4.14.3."
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T00:00:00.000Z",
              "value": "Issue reported by Qifan Zhang"
            },
            {
              "lang": "en",
              "time": "2026-05-28T00:00:00.000Z",
              "value": "Issue reported by Haruki Oyama"
            },
            {
              "lang": "en",
              "time": "2026-06-12T00:00:00.000Z",
              "value": "NLnet Labs shares patch with Qifan Zhang and Haruki Oyama"
            },
            {
              "lang": "en",
              "time": "2026-06-12T00:00:00.000Z",
              "value": "Haruki Oyama verifies patch"
            },
            {
              "lang": "en",
              "time": "2026-06-15T00:00:00.000Z",
              "value": "Qifan Zhang verifies patch"
            },
            {
              "lang": "en",
              "time": "2026-06-16T00:00:00.000Z",
              "value": "Issue reported by zhangph"
            },
            {
              "lang": "en",
              "time": "2026-06-12T00:00:00.000Z",
              "value": "NLnet Labs shares patch with zhangph"
            },
            {
              "lang": "en",
              "time": "2026-06-25T00:00:00.000Z",
              "value": "Fix released with version 4.14.3"
            }
          ],
          "title": "Out of bounds stack write with crafted APL RR",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "assignerShortName": "NLnet Labs",
        "cveId": "CVE-2026-12246",
        "datePublished": "2026-06-25T05:24:29.512Z",
        "dateReserved": "2026-06-15T06:47:44.761Z",
        "dateUpdated": "2026-06-25T12:42:05.428Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12245 (GCVE-0-2026-12245)

    Vulnerability from nvd – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:42
    VLAI
    Title
    Denial of DNS over TLS service by any DoT client
    Summary
    NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    NLnet Labs NSD Affected: 4.13.0 , < 4.14.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-25 00:00
    Credits
    Qifan Zhang from Palo Alto Networks
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12245",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T12:42:22.635356Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T12:42:50.104Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "NSD",
              "vendor": "NLnet Labs",
              "versions": [
                {
                  "lessThan": "4.14.3",
                  "status": "affected",
                  "version": "4.13.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qifan Zhang from Palo Alto Networks"
            }
          ],
          "datePublic": "2026-06-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Any client with access to the DoT port (853) can keep all iserve children in a crash-restart loop denying DoT service"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T05:24:18.620Z",
            "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
            "shortName": "NLnet Labs"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "This issue is fixed starting with version 4.14.3."
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T00:00:00.000Z",
              "value": "Issue reported by Qifan Zhang"
            },
            {
              "lang": "en",
              "time": "2026-06-12T00:00:00.000Z",
              "value": "NLnet Labs shares patch"
            },
            {
              "lang": "en",
              "time": "2026-06-15T00:00:00.000Z",
              "value": "Qifan Zhang verifies patch"
            },
            {
              "lang": "en",
              "time": "2026-06-25T00:00:00.000Z",
              "value": "Fix released with version 4.14.3"
            }
          ],
          "title": "Denial of DNS over TLS service by any DoT client",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "assignerShortName": "NLnet Labs",
        "cveId": "CVE-2026-12245",
        "datePublished": "2026-06-25T05:24:18.620Z",
        "dateReserved": "2026-06-15T06:47:18.496Z",
        "dateUpdated": "2026-06-25T12:42:50.104Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12244 (GCVE-0-2026-12244)

    Vulnerability from nvd – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:45
    VLAI
    Title
    Heap overflow and crash with crafted SVCB RR
    Summary
    If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    • CWE-122 - Heap-based Buffer Overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    NLnet Labs NSD Affected: 4.14.0 , < 4.14.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-25 00:00
    Credits
    Qifan Zhang from Palo Alto Networks
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12244",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T12:45:15.927329Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T12:45:34.403Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "NSD",
              "vendor": "NLnet Labs",
              "versions": [
                {
                  "lessThan": "4.14.3",
                  "status": "affected",
                  "version": "4.14.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qifan Zhang from Palo Alto Networks"
            }
          ],
          "datePublic": "2026-06-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let\u0027s an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size \u003e 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes"
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Processing of a zonefile containing a crafted SVCB. These can be provided by a trusted primary"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122: Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T05:24:08.548Z",
            "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
            "shortName": "NLnet Labs"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "This issue is fixed starting with version 4.14.3."
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T00:00:00.000Z",
              "value": "Issue reported by Qifan Zhang"
            },
            {
              "lang": "en",
              "time": "2026-06-12T00:00:00.000Z",
              "value": "NLnet Labs shares patch"
            },
            {
              "lang": "en",
              "time": "2026-06-15T00:00:00.000Z",
              "value": "Qifan Zhang verifies patch"
            },
            {
              "lang": "en",
              "time": "2026-06-25T00:00:00.000Z",
              "value": "Fix released with version 4.14.3"
            }
          ],
          "title": "Heap overflow and crash with crafted SVCB RR",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "assignerShortName": "NLnet Labs",
        "cveId": "CVE-2026-12244",
        "datePublished": "2026-06-25T05:24:08.548Z",
        "dateReserved": "2026-06-15T06:46:44.866Z",
        "dateUpdated": "2026-06-25T12:45:34.403Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2020-28935 (GCVE-0-2020-28935)

    Vulnerability from nvd – Published: 2020-12-07 21:46 – Updated: 2024-09-16 23:27
    VLAI
    Title
    Local symlink attack in Unbound and NSD
    Summary
    NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.
    Severity
    No CVSS data available.
    CWE
    • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
    Assigner
    Impacted products
    Date Public
    2020-12-01 00:00
    Credits
    We would like to thank Mason Loring Bliss for bringing the issue to our attention.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:48:00.719Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt"
              },
              {
                "name": "GLSA-202101-38",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202101-38"
              },
              {
                "name": "[debian-lts-announce] 20210212 [SECURITY] [DLA 2556-1] unbound1.9 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html"
              },
              {
                "name": "[debian-lts-announce] 20230329 [SECURITY] [DLA 3371-1] unbound security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Unbound",
              "vendor": "NLnet Labs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 1.12.0"
                }
              ]
            },
            {
              "product": "NSD",
              "vendor": "NLnet Labs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 4.3.3"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "We would like to thank Mason Loring Bliss for bringing the issue to our attention."
            }
          ],
          "datePublic": "2020-12-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-29T00:00:00.000Z",
            "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
            "shortName": "NLnet Labs"
          },
          "references": [
            {
              "url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt"
            },
            {
              "url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt"
            },
            {
              "name": "GLSA-202101-38",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202101-38"
            },
            {
              "name": "[debian-lts-announce] 20210212 [SECURITY] [DLA 2556-1] unbound1.9 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html"
            },
            {
              "name": "[debian-lts-announce] 20230329 [SECURITY] [DLA 3371-1] unbound security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"
            }
          ],
          "title": "Local symlink attack in Unbound and NSD"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "assignerShortName": "NLnet Labs",
        "cveId": "CVE-2020-28935",
        "datePublished": "2020-12-07T21:46:47.878Z",
        "dateReserved": "2020-11-18T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:27:01.127Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-12490 (GCVE-0-2026-12490)

    Vulnerability from cvelistv5 – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:41
    VLAI
    Title
    Bypass of client certificate verification with transfer over TLS
    Summary
    When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    NLnet Labs NSD Affected: 4.10.1 , < 4.14.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-25 00:00
    Credits
    Qifan Zhang from Palo Alto Networks
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12490",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T12:40:01.913311Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T12:41:18.144Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "NSD",
              "vendor": "NLnet Labs",
              "versions": [
                {
                  "lessThan": "4.14.3",
                  "status": "affected",
                  "version": "4.10.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qifan Zhang from Palo Alto Networks"
            }
          ],
          "datePublic": "2026-06-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Transfer security restrictions for client certificates can be bypassed completely if the attacker can match the other access control conditions, and the tls-auth-xfr-only option is not explicitly set to yes (which it by default is not)"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T05:24:41.814Z",
            "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
            "shortName": "NLnet Labs"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "This issue is fixed starting with version 4.14.3."
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-15T00:00:00.000Z",
              "value": "Issue reported by Qifan Zhang"
            },
            {
              "lang": "en",
              "time": "2026-06-16T00:00:00.000Z",
              "value": "NLnet Labs shares patch"
            },
            {
              "lang": "en",
              "time": "2026-06-17T00:00:00.000Z",
              "value": "Qifan Zhang verifies patch"
            },
            {
              "lang": "en",
              "time": "2026-06-25T00:00:00.000Z",
              "value": "Fix released with version 4.14.3"
            }
          ],
          "title": "Bypass of client certificate verification with transfer over TLS",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "assignerShortName": "NLnet Labs",
        "cveId": "CVE-2026-12490",
        "datePublished": "2026-06-25T05:24:41.814Z",
        "dateReserved": "2026-06-17T06:44:23.686Z",
        "dateUpdated": "2026-06-25T12:41:18.144Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12246 (GCVE-0-2026-12246)

    Vulnerability from cvelistv5 – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:42
    VLAI
    Title
    Out of bounds stack write with crafted APL RR
    Summary
    NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-120 - Buffer Copy without Checking Size of Input
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    NLnet Labs NSD Affected: 4.14.0 , < 4.14.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-25 00:00
    Credits
    Qifan Zhang from Palo Alto Networks Haruki Oyama from Waseda University zhangph
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12246",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T12:41:56.092027Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T12:42:05.428Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "NSD",
              "vendor": "NLnet Labs",
              "versions": [
                {
                  "lessThan": "4.14.3",
                  "status": "affected",
                  "version": "4.14.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qifan Zhang from Palo Alto Networks"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Haruki Oyama from Waseda University"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "zhangph"
            }
          ],
          "datePublic": "2026-06-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Processing of a zone containing a crafted APL can crash NSD when writing the zone to disk. These zones can be provided by a trusted primary"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-120",
                  "description": "CWE-120: Buffer Copy without Checking Size of Input",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T05:24:29.512Z",
            "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
            "shortName": "NLnet Labs"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12246.txt"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "This issue is fixed starting with version 4.14.3."
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T00:00:00.000Z",
              "value": "Issue reported by Qifan Zhang"
            },
            {
              "lang": "en",
              "time": "2026-05-28T00:00:00.000Z",
              "value": "Issue reported by Haruki Oyama"
            },
            {
              "lang": "en",
              "time": "2026-06-12T00:00:00.000Z",
              "value": "NLnet Labs shares patch with Qifan Zhang and Haruki Oyama"
            },
            {
              "lang": "en",
              "time": "2026-06-12T00:00:00.000Z",
              "value": "Haruki Oyama verifies patch"
            },
            {
              "lang": "en",
              "time": "2026-06-15T00:00:00.000Z",
              "value": "Qifan Zhang verifies patch"
            },
            {
              "lang": "en",
              "time": "2026-06-16T00:00:00.000Z",
              "value": "Issue reported by zhangph"
            },
            {
              "lang": "en",
              "time": "2026-06-12T00:00:00.000Z",
              "value": "NLnet Labs shares patch with zhangph"
            },
            {
              "lang": "en",
              "time": "2026-06-25T00:00:00.000Z",
              "value": "Fix released with version 4.14.3"
            }
          ],
          "title": "Out of bounds stack write with crafted APL RR",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "assignerShortName": "NLnet Labs",
        "cveId": "CVE-2026-12246",
        "datePublished": "2026-06-25T05:24:29.512Z",
        "dateReserved": "2026-06-15T06:47:44.761Z",
        "dateUpdated": "2026-06-25T12:42:05.428Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12245 (GCVE-0-2026-12245)

    Vulnerability from cvelistv5 – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:42
    VLAI
    Title
    Denial of DNS over TLS service by any DoT client
    Summary
    NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    NLnet Labs NSD Affected: 4.13.0 , < 4.14.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-25 00:00
    Credits
    Qifan Zhang from Palo Alto Networks
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12245",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T12:42:22.635356Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T12:42:50.104Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "NSD",
              "vendor": "NLnet Labs",
              "versions": [
                {
                  "lessThan": "4.14.3",
                  "status": "affected",
                  "version": "4.13.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qifan Zhang from Palo Alto Networks"
            }
          ],
          "datePublic": "2026-06-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Any client with access to the DoT port (853) can keep all iserve children in a crash-restart loop denying DoT service"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T05:24:18.620Z",
            "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
            "shortName": "NLnet Labs"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "This issue is fixed starting with version 4.14.3."
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T00:00:00.000Z",
              "value": "Issue reported by Qifan Zhang"
            },
            {
              "lang": "en",
              "time": "2026-06-12T00:00:00.000Z",
              "value": "NLnet Labs shares patch"
            },
            {
              "lang": "en",
              "time": "2026-06-15T00:00:00.000Z",
              "value": "Qifan Zhang verifies patch"
            },
            {
              "lang": "en",
              "time": "2026-06-25T00:00:00.000Z",
              "value": "Fix released with version 4.14.3"
            }
          ],
          "title": "Denial of DNS over TLS service by any DoT client",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "assignerShortName": "NLnet Labs",
        "cveId": "CVE-2026-12245",
        "datePublished": "2026-06-25T05:24:18.620Z",
        "dateReserved": "2026-06-15T06:47:18.496Z",
        "dateUpdated": "2026-06-25T12:42:50.104Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12244 (GCVE-0-2026-12244)

    Vulnerability from cvelistv5 – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:45
    VLAI
    Title
    Heap overflow and crash with crafted SVCB RR
    Summary
    If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    • CWE-122 - Heap-based Buffer Overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    NLnet Labs NSD Affected: 4.14.0 , < 4.14.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-25 00:00
    Credits
    Qifan Zhang from Palo Alto Networks
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12244",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T12:45:15.927329Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T12:45:34.403Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "NSD",
              "vendor": "NLnet Labs",
              "versions": [
                {
                  "lessThan": "4.14.3",
                  "status": "affected",
                  "version": "4.14.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qifan Zhang from Palo Alto Networks"
            }
          ],
          "datePublic": "2026-06-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let\u0027s an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size \u003e 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes"
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Processing of a zonefile containing a crafted SVCB. These can be provided by a trusted primary"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122: Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T05:24:08.548Z",
            "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
            "shortName": "NLnet Labs"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "This issue is fixed starting with version 4.14.3."
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T00:00:00.000Z",
              "value": "Issue reported by Qifan Zhang"
            },
            {
              "lang": "en",
              "time": "2026-06-12T00:00:00.000Z",
              "value": "NLnet Labs shares patch"
            },
            {
              "lang": "en",
              "time": "2026-06-15T00:00:00.000Z",
              "value": "Qifan Zhang verifies patch"
            },
            {
              "lang": "en",
              "time": "2026-06-25T00:00:00.000Z",
              "value": "Fix released with version 4.14.3"
            }
          ],
          "title": "Heap overflow and crash with crafted SVCB RR",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "assignerShortName": "NLnet Labs",
        "cveId": "CVE-2026-12244",
        "datePublished": "2026-06-25T05:24:08.548Z",
        "dateReserved": "2026-06-15T06:46:44.866Z",
        "dateUpdated": "2026-06-25T12:45:34.403Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2020-28935 (GCVE-0-2020-28935)

    Vulnerability from cvelistv5 – Published: 2020-12-07 21:46 – Updated: 2024-09-16 23:27
    VLAI
    Title
    Local symlink attack in Unbound and NSD
    Summary
    NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.
    Severity
    No CVSS data available.
    CWE
    • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
    Assigner
    Impacted products
    Date Public
    2020-12-01 00:00
    Credits
    We would like to thank Mason Loring Bliss for bringing the issue to our attention.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:48:00.719Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt"
              },
              {
                "name": "GLSA-202101-38",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202101-38"
              },
              {
                "name": "[debian-lts-announce] 20210212 [SECURITY] [DLA 2556-1] unbound1.9 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html"
              },
              {
                "name": "[debian-lts-announce] 20230329 [SECURITY] [DLA 3371-1] unbound security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Unbound",
              "vendor": "NLnet Labs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 1.12.0"
                }
              ]
            },
            {
              "product": "NSD",
              "vendor": "NLnet Labs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 4.3.3"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "We would like to thank Mason Loring Bliss for bringing the issue to our attention."
            }
          ],
          "datePublic": "2020-12-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-29T00:00:00.000Z",
            "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
            "shortName": "NLnet Labs"
          },
          "references": [
            {
              "url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt"
            },
            {
              "url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt"
            },
            {
              "name": "GLSA-202101-38",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202101-38"
            },
            {
              "name": "[debian-lts-announce] 20210212 [SECURITY] [DLA 2556-1] unbound1.9 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html"
            },
            {
              "name": "[debian-lts-announce] 20230329 [SECURITY] [DLA 3371-1] unbound security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"
            }
          ],
          "title": "Local symlink attack in Unbound and NSD"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "assignerShortName": "NLnet Labs",
        "cveId": "CVE-2020-28935",
        "datePublished": "2020-12-07T21:46:47.878Z",
        "dateReserved": "2020-11-18T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:27:01.127Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }