FreeBSD : NSD -- vulnerabilities (bebbc065-73d2-11f1-910d-3c7c3fba4204)

high Nessus Plugin ID 323941

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the bebbc065-73d2-11f1-910d-3c7c3fba4204 advisory.

NLnet Labs reports:
CVE-2026-12244: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes.
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes Even though the data is from a configured primary inside NSD's trust boundary, we do consider the risk significant enough for multi-tenant secondary DNS deployments, given the potential severity of the attack.
CVE-2026-12245: An attacker can keep all children in a crash-restart loop denying DoT service.
NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response.
Any client with access to the DoT port (853) can trigger this. Even though a new server process will be immediately reforked to replace the crashed one, an attacker can keep all children in a crash-restart loop denying DoT service.
CVE-2026-12246: The RR type APL rdata address, if too large, causes out of bounds write on the stack, when the zonefile is written out.
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
Even though the data is from a configured primary inside NSD's trust boundary, we do consider the risk significant enough for multi-tenant secondary DNS deployments, where a primary could introduce the rogue APL with the secondary not noticing or only after the fact.
CVE-2026-12490: Secondaries authenticated by a client certificate to transfer a zone over TLS, can bypass verification by transferring over TCP.
When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.
The transfer security restrictions for client certificates can be bypassed completely if the attacker can match the other access control conditions, and the tls-auth-xfr-only option is not explicitly set to yes (which it by default is not) Thanks to people below for reporting and disclosing these vulnerabilities:

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt

https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt

https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12246.txt

https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt

http://www.nessus.org/u?d60bdec2

Plugin Details

Severity: High

ID: 323941

File Name: freebsd_pkg_bebbc06573d211f1910d3c7c3fba4204.nasl

Version: 1.1

Type: Local

Published: 6/30/2026

Updated: 6/30/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-12244

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-12245

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:nsd, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 6/29/2026

Vulnerability Publication Date: 6/25/2026

Reference Information

CVE: CVE-2026-12244, CVE-2026-12245, CVE-2026-12246, CVE-2026-12490