CVE-2026-12246
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
In NSD version 4.14.0, a bug was introduced where a specially crafted APL RR with an adflength larger than permitted for the address family overwrites the stack when the zone is written to disk, with a maximum of 111 attacker-controlled bytes.
Risk Assessment
An attacker can remotely cause a stack overflow, potentially leading to arbitrary code execution or denial of service of the NSD service, compromising the integrity and availability of the DNS server.
Recommendation
Immediately update NSD to version 4.14.1 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.

