Bug 2494188 - CVE-2026-12244 nsd: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. [fedora-all]
Summary: CVE-2026-12244 nsd: A specially crafted SVCB RR can cause a heap overflow of ...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: nsd
Version: rawhide
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["beefe42f-ed4c-4824-860a-0...
Depends On:
Blocks: CVE-2026-12244
TreeView+ depends on / blocked
 
Reported: 2026-06-29 13:49 UTC by Marco Benatto
Modified: 2026-06-29 13:49 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Marco Benatto 2026-06-29 13:49:04 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes.

Even though the data is from a configured primary inside NSD's trust boundary, we do consider the risk significant enough for multi-tenant secondary DNS deployments, given the potential severity of the attack.


Note You need to log in before you can comment on or make changes to this bug.