CVE-2026-10846 | THREATINT

Description

NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the query ID, neither the question of the query is matched with that of the response. This makes applications, that use ldns for (stub) resolver functionality over UDP, vulnerable for off-path poisoning attacks. The drill tool, which is shipped with ldns, suffers from this vulnerability.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-10 | Updated 2026-06-10 | Assigner NLnet Labs

HIGH: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Applications directly or indirectly using the ldns_send_buffer function for (stub) resolving

Problem types

CWE-346 Origin Validation Error

Product status

Default status

unaffected

1.2.0 (semver) before 1.9.1

affected

Timeline

2026-05-14:	Issue reported by Pablo Ruiz
2026-06-02:	NLnet Labs shares patch
2026-06-02:	Pablo Ruiz verifies patch
2026-06-10:	Fix released with version 1.9.2

Credits

Pablo Ruiz from 'codecome.ai' finder

References

www.openwall.com/lists/oss-security/2026/06/10/2

www.nlnetlabs.nl/downloads/ldns/CVE-2026-10846.txt vendor-advisory

cve.org (CVE-2026-10846)

nvd.nist.gov (CVE-2026-10846)

Download JSON