The CVE number for this vulnerability is CVE-2026-12245

== Summary
If NSD is configured with DNS over TLS, a client that performs a TLS action,
closing the connection early, causes a crash and restart of the server process.
An attacker can keep all children in a crash-restart loop denying DoT service.


== Affected products
NSD from and including version 4.13.0 up to and including version 4.14.2


== Description
NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS
connections, causing a crash of the server process, which can be triggered
trivially by sending a DNS query over a DoT connection, and closing the
connection without reading the response.

Any client with access to the DoT port (853) can trigger this. Even though a
new server process will be immediately reforked to replace the crashed one,
an attacker can keep all children in a crash-restart loop denying DoT service.


== Mitigation

=== Downloading patched version
NSD 4.14.3 is released with the patch
https://nlnetlabs.nl/downloads/nsd/nsd-4.14.3.tar.gz

=== Applying the patch manually
For NSD 4.14.2 the patch is:
https://nlnetlabs.nl/downloads/nsd/patch_CVE-2026-12245.diff

Apply the patch on the nsd source directory with:
    patch -p1 < patch_CVE-2026-12245.diff
then run 'make install' to install nsd.

The patch is tested to work on nsd 4.14.2.


== Acknowledgments
We would like to thank Qifan Zhang from Palo Alto Networks for discovering and
responsibly disclosing the vulnerability.