CVE-2026-12245 | NSD from version 4.13.0 has a heap use-after-free bug in log… | CVSS 8.7 HIGH

Description

NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response.

Metadata

CVE ID: CVE-2026-12245
State: PUBLISHED
Assigner: NLnet Labs
Reserved: 2026-06-15 06:47 UTC
Published: 2026-06-25 05:24 UTC
Last updated: 2026-06-25 05:24 UTC
Primary CWE: CWE-416
CWE-416: Use After Free
Vendor / Product: NLnet Labs / NSD
Sources: cve.org · NVD

Severity & Metrics

8.7 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
NLnet Labs	NSD	—	4.13.0 < 4.14.3

Weakness (CWE)

CWE	Source	Description
CWE-416	cna	CWE-416: Use After Free

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References (1)

https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt