The CVE number for this vulnerability is CVE-2026-12244

== Summary
A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker
controlled bytes.


== Affected products
NSD from and including version 4.14.0 up to and including version 4.14.2


== Description
If NSD is configured as secondary for a zone, the primary of that zone can
crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR
with an rdata size of 65512, that let's an (uint16_t) variable that is used to
allocate space needed for the RR wrap (because total size > 65535), causing a
heap overflow. The attacker can perform a controlled (RCE class) head write of
up to 65509 bytes

Even though the data is from a configured primary inside NSD's trust boundary,
we do consider the risk significant enough for multi-tenant secondary DNS
deployments, given the potential severity of the attack.

== Mitigation

=== Downloading patched version
NSD 4.14.3 is released with the patch
https://nlnetlabs.nl/downloads/nsd/nsd-4.14.3.tar.gz

=== Applying the patch manually
For NSD 4.14.2 the patch is:
https://nlnetlabs.nl/downloads/nsd/patch_CVE-2026-12244.diff

Apply the patch on the nsd source directory with:
    patch -p1 < patch_CVE-2026-12244.diff
then run 'make install' to install nsd.

The patch is tested to work on nsd 4.14.2.


== Acknowledgments
We would like to thank Qifan Zhang from Palo Alto Networks for discovering and
responsibly disclosing the vulnerability.