The CVE number for this vulnerability is CVE-2026-10846

== Summary
When ldns is used by applications for (stub) resolving, it does not
sufficiently verify that received responses belong to a sent query.

== Affected products
ldns 1.2.0 up to and including 1.9.0

== Description
NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in
applications as (stub) resolver over UDP, lacks matching the query destination
address and port with the response source address and port. Furthermore not the
query ID, neither the question of the query is matched with that of the
response. This makes applications, that use ldns for (stub) resolver
functionality, vulnerable for off-path poisoning attacks.

The drill tool, which is shipped with ldns and uses ldns for stub resolving,
inherently suffers from this vulnerability too.

== Solution
Download a patched version of ldns, or apply the patch manually

+ Downloading patched version
ldns 1.9.1 is released with the patch
https://nlnetlabs.nl/downloads/ldns/ldns-1.9.1.tar.gz

+ Applying the Patch manually
For ldns 1.9.0 the patch is:
https://nlnetlabs.nl/downloads/ldns/patch_cve_2026-10846.diff

Apply the patch on ldns source directory with:
'patch -p0 < patch_cve_2026-10846.diff'
then run 'make install' to install ldns.

== Acknowledgments
We would like to thank Pablo Ruiz from 'codecome.ai' for finding and reporting
this vulnerability.