A heap overflow vulnerability in the NSD name server allows a malicious primary zone authority to trigger a crash or potentially execute arbitrary code on a secondary DNS server.

The vulnerability stems from improper handling of SVCB resource record rdata sizes during AXFR transfers, which causes an integer wrap-around in a (uint16_t) variable. This leads to an insufficient memory allocation and a subsequent heap overflow, which can be triggered by an attacker controlling the primary zone.

A successful exploit of this vulnerability could lead to a denial-of-service (DoS) condition by crashing the DNS service, potentially impacting name resolution for the entire organization. With a CVSS score of 8.7, the risk of arbitrary code execution cannot be ruled out, which would allow an attacker to gain a foothold on critical DNS infrastructure.

Immediate Action: Update the NSD installation to the latest patched version released by NLnet Labs as soon as it becomes available.

Proactive Monitoring: Monitor DNS server logs for unexpected service crashes and review traffic patterns for large or malformed AXFR requests.

Compensating Controls: Restrict zone transfers (AXFR/IXFR) to trusted IP addresses only to prevent unauthorized primary servers from interacting with your secondary instances.

Public Exploit Available: false

Maintaining stable DNS infrastructure is critical to overall network availability. Security teams should prioritize patching NSD instances to prevent both service disruption and potential system-level compromise. Regularly audit the list of authorized primary servers for all secondary zone configurations to minimize the attack surface.