Ubuntu fixes multiple NSD flaws affecting DNS server security
Ubuntu has published USN-8474-1 to address multiple NSD vulnerabilities, including memory-safety issues and a TLS zone transfer authentication flaw. Organizations running NSD should review affected Ubuntu versions and apply updates promptly.
Key takeaways
- Ubuntu released USN-8474-1 to address multiple security issues in NSD.
- The notice includes memory corruption risks that could potentially lead to code execution with NSD server privileges.
- Several issues, including SVCB handling, TLS logging, and transfer authentication, only affected Ubuntu 26.04 LTS.
- Defenders should identify exposed NSD instances, apply Ubuntu security updates, and validate zone transfer and TLS configurations.
Research integrity
Intro
Ubuntu has issued USN-8474-1 for NSD, addressing multiple vulnerabilities that affect the security and stability of authoritative DNS infrastructure. The notice covers several distinct issues, including memory-safety flaws and a problem related to TLS authentication for zone transfers.
According to Ubuntu, the vulnerabilities include:
- CVE-2026-12246: incorrect handling of APL resource records with an invalid address length, which could cause a stack-based buffer overflow when a zone is written to disk and could potentially lead to arbitrary code execution with the privileges of the NSD server.
- CVE-2026-12244: incorrect handling of SVCB resource records, which could cause a heap overflow and potentially enable arbitrary code execution with NSD server privileges. Ubuntu notes this issue only affected Ubuntu 26.04 LTS.
- CVE-2026-12245: a use-after-free in TLS connection error logging that could allow a remote attacker to crash the server process, resulting in denial of service. This issue only affected Ubuntu 26.04 LTS.
- CVE-2026-12490: incorrect handling of TLS authentication for zone transfers, which could allow an attacker to bypass transfer security restrictions when certain conditions were met. This issue only affected Ubuntu 26.04 LTS.
Why it matters
NSD is commonly used to serve authoritative DNS zones, which makes its reliability and security particularly important for internet-facing infrastructure. Vulnerabilities in authoritative DNS software can have consequences beyond a single host, including service disruption, trust erosion, and increased operational risk for organizations that depend on stable name resolution.
The issues in this notice matter for two main reasons:
- Potential code execution risk: Ubuntu states that some flaws could potentially allow arbitrary code execution with the privileges of the NSD server. Even when privilege scope is limited to the service account, this is still a serious exposure for DNS infrastructure.
- Integrity and availability concerns: The zone transfer authentication issue raises concerns about trust boundaries in DNS operations, while the use-after-free bug could lead to service crashes and availability problems.
Importantly, the notice describes potential impact. Defenders should avoid overstating the situation, but should still treat these vulnerabilities as high-priority maintenance items because they affect a core infrastructure service.
Who should care
This alert is most relevant to:
- Linux and Ubuntu administrators running NSD
- DNS and network infrastructure teams responsible for authoritative name servers
- Managed service providers and hosting platforms that operate DNS services for customers
- Security teams tracking exposure to internet-facing services
- Organizations using Ubuntu 26.04 LTS, since multiple issues in the notice specifically affect that release
If your environment uses NSD for authoritative DNS, or if you rely on zone transfers between internal or external DNS systems, this notice deserves prompt review.
Practical response
Cyberaro recommends a straightforward defensive response:
Identify affected systems
Inventory Ubuntu hosts running NSD, especially those exposed to untrusted networks or participating in zone transfers.Apply the Ubuntu security updates
Use the package updates referenced in USN-8474-1 and follow your normal change management process for production DNS infrastructure.Prioritize Ubuntu 26.04 LTS deployments
Because several vulnerabilities only affected Ubuntu 26.04 LTS, teams should verify whether that release is present in production, staging, or lab environments.Review zone transfer controls
Confirm that zone transfer policies, TLS settings, and peer trust relationships align with your intended security model. After patching, validate that transfer restrictions still behave as expected.Monitor service health after updates
Check NSD process stability, logging, and zone publication workflows after applying fixes, particularly if the server handles TLS connections or writes zones to disk as part of normal operations.Document exposure and remediation
Record affected assets, patch status, and any operational validation performed so the issue can be closed cleanly and revisited during audits.
Bottom line
USN-8474-1 addresses multiple meaningful NSD security flaws in Ubuntu, including issues that could potentially lead to code execution, denial of service, or weakened zone transfer protections. For defenders, this is a practical patch-and-validate alert: identify where NSD is deployed, prioritize affected Ubuntu versions, apply the vendor updates, and confirm that DNS operations and transfer security remain intact.
Frequently asked questions
What is USN-8474-1 about?
USN-8474-1 is an Ubuntu Security Notice covering multiple vulnerabilities in NSD, the authoritative DNS server software.
Are all Ubuntu releases affected in the same way?
No. According to the notice, some issues specifically affected Ubuntu 26.04 LTS, including the SVCB handling flaw, the TLS logging use-after-free, and the TLS zone transfer authentication issue.
What should administrators do first?
Administrators should confirm whether NSD is deployed on Ubuntu systems, apply the security updates referenced by Ubuntu, and then review service health and zone transfer security settings.
