A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes.
Summary
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes A flaw was found in nsd. When nsd is configured as a secondary server for a zone, a remote attacker, acting as the primary server for that zone, can send a specially crafted DNS message within an AXFR (Asynchronous Full Zone Transfer) request. This message, containing a malformed SVCB (Service Binding) resource record, can cause a heap overflow, leading to arbitrary code execution. This vulnerability poses a significant risk, especially in multi-tenant secondary DNS deployments, due to the potential for a controlled write of a large amount of data. This Important vulnerability in NSD allows a remote attacker, acting as a configured primary DNS server, to trigger a heap overflow during an AXFR zone transfer. This can lead to arbitrary code execution on the secondary NSD server. The risk is particularly significant in multi-tenant environments where NSD serves as a secondary for multiple zones, as a compromised primary could exploit this flaw within NSD's trust boundary. This vulnerability doesn't affect any supported Red Hat Product. Red Hat severity: Important — CVSS 8 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). Weakness: CWE-787. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- Red Hat rates this important; a fix erratum may not be out yet — apply the RHSA as soon as it publishes.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.