CVE-2026-10846

Source
https://cve.org/CVERecord?id=CVE-2026-10846
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10846.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-10846
Downstream
Related
Published
2026-06-10T07:16:24.443Z
Modified
2026-07-15T06:21:43.099544Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the query ID, neither the question of the query is matched with that of the response. This makes applications, that use ldns for (stub) resolver functionality over UDP, vulnerable for off-path poisoning attacks. The drill tool, which is shipped with ldns, suffers from this vulnerability.

References

Affected packages

Git / github.com/nlnetlabs/ldns

Affected ranges

Type
GIT
Repo
https://github.com/nlnetlabs/ldns
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:nlnetlabs:ldns:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.2.0"
        },
        {
            "fixed": "1.9.1"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10846.json"