High

Off-path DNS response poisoning in NLnet Labs ldns stub resolver over UDP

IdentifiersCVE-2026-10846CWE-345

CVE-2026-10846 affects NLnet Labs ldns versions 1.2.0 through 1.9.0 inclusive when the library is used by applications as a stub resolver over UDP. The vulnerable resolver logic does not adequately validate that an incoming DNS response corresponds to an outstanding query. Specifically, ldns fails to verify that the response source address and source port match the original query destination address and port, and it also fails to verify the DNS transaction ID and question section against the original query. Because multiple expected query/response correlation fields are not checked, forged UDP responses can be accepted as legitimate. This exposes applications using ldns for UDP stub resolution to off-path DNS cache/response poisoning. The bundled drill tool is explicitly affected, and advisories also note impact to consumers such as host(1) and ssh(1) when VerifyHostKeyDNS is used in affected environments.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an off-path attacker to inject spoofed DNS responses that ldns accepts as genuine. This can cause applications relying on ldns stub resolution to receive attacker-controlled DNS data, undermining DNS integrity. Practical consequences include redirection to attacker-chosen hosts, delivery of falsified name resolution results, and downstream trust decisions based on poisoned DNS answers. Advisory material specifically notes arbitrary DNS data may be returned to programs using ldns for stub resolution, including drill(1), host(1), and ssh(1) when VerifyHostKeyDNS is enabled. The provided CVSS 4.0 vector indicates high integrity impact without direct confidentiality or availability impact.

Mitigation

If you can’t patch tonight, do this now.

No workaround is available according to the cited FreeBSD advisory. The practical mitigation is to avoid relying on vulnerable ldns UDP stub resolution until patched, and to update affected systems and applications to a fixed ldns release or vendor-corrected package as soon as possible.

Remediation

Patch, then assume compromise.

Upgrade ldns to version 1.9.1 or later, as 1.9.1 was released to correct the issue. For environments pinned to ldns 1.9.0, NLnet Labs provided a manual patch file, patch_cve_2026-10846.diff, which should be applied in the ldns source directory followed by rebuilding and reinstalling the library (the advisory states to run 'patch -p0 < patch_cve_2026-10846.diff' and then 'make install'). On FreeBSD, follow the vendor advisory guidance: update to a supported stable or release/security branch containing the fix via pkg upgrade or freebsd-update where applicable, or apply the FreeBSD vendor patch and rebuild/install from source. Restart affected daemons or reboot after updating so linked processes use the corrected library.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FreebsdFreebsdapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

6 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-10846

NVD

nvd.nist.gov/vuln/detail/CVE-2026-10846

MITRE CWE · CWE-345

cwe.mitre.org

openwall.com

openwall.com/lists/oss-security/2026/06/10/2

nlnetlabs.nl

nlnetlabs.nl/downloads/ldns/CVE-2026-10846.txt