1. Ubuntu Security Notices
  2. USN-8474-1

USN-8474-1: NSD vulnerabilities

Publication date

25 June 2026

Overview

NSD could be made to crash or run programs if it received specially crafted network traffic.

Releases

Packages

  • nsd - Several security issues were fixed in NSD, including a stack-based buffer overflow in APL resource record handling.

Details

It was discovered that NSD incorrectly handled APL resource records with an
address length larger than permitted for the address family. A remote attacker
could use this to cause a stack-based buffer overflow when the zone is written
to disk, potentially executing arbitrary code with the privileges of the NSD
server. (CVE-2026-12246)

It was discovered that NSD incorrectly handled SVCB resource records. A remote
attacker could use this to cause a heap overflow, potentially executing
arbitrary code with the privileges of the NSD server. This issue only affected
Ubuntu 26.04 LTS. (CVE-2026-12244)

It was discovered that NSD had a use-after-free vulnerability in TLS
connection error logging. A remote attacker could use this to cause a denial
of service by crashing the server process. This issue only affected Ubuntu
26.04 LTS. (

It was discovered that NSD incorrectly handled APL resource records with an
address length larger than permitted for the address family. A remote attacker
could use this to cause a stack-based buffer overflow when the zone is written
to disk, potentially executing arbitrary code with the privileges of the NSD
server. (CVE-2026-12246)

It was discovered that NSD incorrectly handled SVCB resource records. A remote
attacker could use this to cause a heap overflow, potentially executing
arbitrary code with the privileges of the NSD server. This issue only affected
Ubuntu 26.04 LTS. (CVE-2026-12244)

It was discovered that NSD had a use-after-free vulnerability in TLS
connection error logging. A remote attacker could use this to cause a denial
of service by crashing the server process. This issue only affected Ubuntu
26.04 LTS. (CVE-2026-12245)

It was discovered that NSD incorrectly handled TLS authentication for zone
transfers. An attacker could bypass transfer security restrictions when
certain conditions were met. This issue only affected Ubuntu 26.04 LTS.
(CVE-2026-12490)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
26.04 LTS resolute nsd –  4.14.0-1ubuntu0.1~esm1  
24.04 LTS noble nsd –  4.8.0-1ubuntu0.1~esm1  
22.04 LTS jammy nsd –  4.3.9-1ubuntu0.1~esm1  
20.04 LTS focal nsd –  4.1.26-1ubuntu0.1~esm1  
18.04 LTS bionic nsd –  4.1.17-1ubuntu0.1~esm1  
16.04 LTS xenial nsd –  4.1.7-1ubuntu0.1~esm1
nsd3 –  4.1.7-1ubuntu0.1~esm1

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›