NSD vulnerabilities
Published: Thu, 25 Jun 2026 12:38
Summary
NSD could be made to crash or run programs if it received specially crafted network traffic.
Details
It was discovered that NSD incorrectly handled APL resource records with an address length larger than permitted for the address family. A remote attacker could use this to cause a stack-based buffer overflow when the zone is written to disk, potentially executing arbitrary code with the privileges of the NSD server. (CVE-2026-12246) It was discovered that NSD incorrectly handled SVCB resource records. A remote attacker could use this to cause a heap overflow, potentially executing arbitrary code with the privileges of the NSD server. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-12244) It was discovered that NSD had a use-after-free vulnerability in TLS connection error logging. A remote attacker could use this to cause a denial of service by crashing the server process. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-12245) It was discovered that NSD incorrectly handled TLS authentication for zone transfers. An attacker could bypass transfer security restrictions when certain conditions were met. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-12490)
Recommended actions per Ubuntu release
StackPatch playbook auto-generated per release codename and per affected package.
Ubuntu bionic
nsd→4.1.17-1ubuntu0.1~esm1apt_upgrade_esmFixed at 4.1.17-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y nsd=4.1.17-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
nsd→4.1.17-1ubuntu0.1~esm1apt_upgrade_esmFixed at 4.1.17-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y nsd=4.1.17-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
Ubuntu focal
nsd→4.1.26-1ubuntu0.1~esm1apt_upgrade_esmFixed at 4.1.26-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y nsd=4.1.26-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
nsd→4.1.26-1ubuntu0.1~esm1apt_upgrade_esmFixed at 4.1.26-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y nsd=4.1.26-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
Ubuntu jammy
nsd→4.3.9-1ubuntu0.1~esm1apt_upgrade_esmFixed at 4.3.9-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y nsd=4.3.9-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
nsd→4.3.9-1ubuntu0.1~esm1apt_upgrade_esmFixed at 4.3.9-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y nsd=4.3.9-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
Ubuntu noble
nsd→4.8.0-1ubuntu0.1~esm1apt_upgrade_esmFixed at 4.8.0-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y nsd=4.8.0-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
nsd→4.8.0-1ubuntu0.1~esm1apt_upgrade_esmFixed at 4.8.0-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y nsd=4.8.0-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
Ubuntu resolute
nsd→4.14.0-1ubuntu0.1~esm1apt_upgrade_esmFixed at 4.14.0-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y nsd=4.14.0-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
nsd→4.14.0-1ubuntu0.1~esm1apt_upgrade_esmFixed at 4.14.0-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y nsd=4.14.0-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
Ubuntu xenial
nsd→4.1.7-1ubuntu0.1~esm1apt_upgrade_esmFixed at 4.1.7-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y nsd=4.1.7-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
nsd→4.1.7-1ubuntu0.1~esm1apt_upgrade_esmFixed at 4.1.7-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y nsd=4.1.7-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
nsd3→4.1.7-1ubuntu0.1~esm1apt_upgrade_esmFixed at 4.1.7-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y nsd3=4.1.7-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
Are YOU affected by USN-8474-1?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8474-1 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
StackPatch runs this match against YOUR installed packages every hour
Free (3 servers) / from $9/mo (14-day free trial) / Solo $9/mo / Pro $29/mo / Team $79/mo. Indie pricing.