The CVE number for this vulnerability is CVE-2026-12246

== Summary
The RR type APL rdata address, if too large, causes out of bounds write on the
stack, when the zonefile is written out.


== Affected products
NSD from and including version 4.14.0 up to and including version 4.14.2


== Description
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an
adflength larger than permitted for the address family will overwrite the
stack when the zone is written to disk, with a maximum of 111 attacker
controlled bytes.

Even though the data is from a configured primary inside NSD's trust boundary,
we do consider the risk significant enough for multi-tenant secondary DNS
deployments, where a primary could introduce the rogue APL with the secondary
not noticing or only after the fact.


== Mitigation

=== Downloading patched version
NSD 4.14.3 is released with the patch
https://nlnetlabs.nl/downloads/nsd/nsd-4.14.3.tar.gz

=== Applying the patch manually
For NSD 4.14.2 the patch is:
https://nlnetlabs.nl/downloads/nsd/patch_CVE-2026-12246.diff

Apply the patch on the nsd source directory with:
    patch -p1 < patch_CVE-2026-12246.diff
then run 'make install' to install nsd.

The patch is tested to work on nsd 4.14.2.


== Acknowledgments
We would like to thank Qifan Zhang from Palo Alto Networks, Haruki Oyama from
Waseda University and zhangph for discovering and responsibly disclosing the
vulnerability.