CVE-2026-12246

Publication date 25 June 2026

Last updated 26 June 2026

Ubuntu priority

Description

NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
nsd	26.04 LTS resolute	Fixed 4.14.0-1ubuntu0.1~esm1
	25.10 questing	Vulnerable
	24.04 LTS noble	Fixed 4.8.0-1ubuntu0.1~esm1
	22.04 LTS jammy	Fixed 4.3.9-1ubuntu0.1~esm1
	20.04 LTS focal	Fixed 4.1.26-1ubuntu0.1~esm1
	18.04 LTS bionic	Fixed 4.1.17-1ubuntu0.1~esm1

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Severity score breakdown

CVSS version: CVSS v4.0

Base score 7.2 · High

Base metrics

Parameter	Value
Attack vector	Network
Attack complexity	Low
Attack requirements	None
Privileges required	Low
User interaction	None
Vulnerable system - Confidentiality impact	None
Vulnerable system - Integrity impact	High
Vulnerable system - Availability impact	High
Subsequent system - Confidentiality impact	None
Subsequent system - Integrity impact	None
Subsequent system - Availability impact	None

Scores

Parameter	Value
Base score	7.2 · High
Base + Threat score	-
Base + Environmental score	-
Base + Threat + Environmental score	-

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

References

Related Ubuntu Security Notices (USN)

USN-8474-1
NSD vulnerabilities
25 June 2026

Other references

https://www.cve.org/CVERecord?id=CVE-2026-12246