HIGH 7.5

CVE-2026-10846: NLnet Labs ldns DNS Spoofing Vulnerability - Off-Path Poisoning Attack

NLnet Labs ldns, a DNS library used by many applications for DNS resolution, contains a critical validation flaw in its UDP stub resolver implementation. When applications use ldns to resolve DNS queries over UDP, the library fails to properly verify that responses match their requests—it doesn't check the source address, port, query ID, or even the question being asked. This oversight enables attackers on the network to inject malicious DNS responses without being on the direct path between the client and the legitimate DNS server, a technique known as off-path poisoning. The drill diagnostic tool bundled with ldns is directly affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-346
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the query ID, neither the question of the query is matched with that of the response. This makes applications, that use ldns for (stub) resolver functionality over UDP, vulnerable for off-path poisoning attacks. The drill tool, which is shipped with ldns, suffers from this vulnerability.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10846 exploits insufficient response validation in ldns versions 1.2.0 through 1.9.0 when functioning as a stub resolver over UDP. The vulnerability stems from the absence of critical validation checks: the response source address and port are not matched against the query destination, the DNS transaction ID is not verified, and the question section is not cross-checked. This combination allows an attacker positioned anywhere on the network to craft a spoofed DNS response that will be accepted by the resolver, enabling DNS cache poisoning or response hijacking. The root cause maps to CWE-346 (Origin Validation Error), reflecting a fundamental failure in the request-response binding mechanism.

Business impact

Applications relying on ldns for DNS resolution—including enterprise tools, appliances, and cloud services—become susceptible to DNS hijacking attacks. An attacker can redirect users to malicious websites, intercept sensitive communications, or deliver malware without compromising the resolver itself or the authoritative DNS infrastructure. This is particularly dangerous in environments where DNS is relied upon for security decisions, such as email authentication (SPF/DKIM verification), certificate validation, or access control. Organizations using affected versions face elevated risk of phishing success, credential theft, and supply-chain attacks via poisoned DNS responses.

Affected systems

NLnet Labs ldns versions 1.2.0 through 1.9.0 are affected when used in stub resolver mode over UDP. Any application embedding ldns for DNS resolution is at risk, including the drill tool shipped with ldns itself. This encompasses DNS utilities, enterprise monitoring tools, DNS security appliances, and custom applications built atop ldns. Organizations should audit their codebase and dependencies for ldns usage and determine active version numbers in production.

Exploitability

This vulnerability is highly exploitable. The attack requires no authentication, no user interaction, and only network-level access—the attacker does not need to be on the direct path between the resolver and the authoritative server. CVSS 3.1 score of 7.5 (HIGH) reflects the high availability of attack vectors (AV:N), low attack complexity (AC:L), and integrity impact (I:H). The primary barrier is that the attacker must be able to send traffic that reaches the vulnerable resolver; however, in many network topologies (shared WiFi, cloud environments, BGP hijacking scenarios), this is feasible. No public exploit code is required—DNS spoofing techniques are well-established.

Remediation

Organizations should upgrade ldns to a patched version that implements proper response validation. Users must verify the specific version addressing this issue in the NLnet Labs release notes and security advisories. Until patching is possible, implement network-level mitigations: restrict DNS traffic to trusted authoritative servers, use DNSSEC for critical domains, deploy DNS query rate limiting, and consider filtering spoofed responses at the network perimeter. For applications with embedded ldns, verify that the library is updated or that the application itself implements additional response validation on top of ldns.

Patch guidance

Check the NLnet Labs ldns project repository and security advisories for the first version released after 1.9.0 that addresses this vulnerability. Organizations using ldns should review the vendor advisory to confirm the patched version number, as this information must be obtained from official sources. After patching, validate that the resolver correctly validates DNS response source addresses, ports, transaction IDs, and question sections. Consider deploying patches in a staging environment first to ensure application compatibility. For third-party applications using ldns, check with the vendor for updated versions that include patched ldns dependencies.

Detection guidance

Monitor DNS traffic for patterns indicative of response injection: unusually high rates of DNS responses from addresses that are not authoritative for the queried domain, mismatches between query and response transaction IDs (if logging DNS protocol details), or responses received before the expected latency to the configured nameserver. Implement DNS query/response logging with transaction ID tracking to detect spoofed responses. Intrusion detection systems can flag anomalous DNS response sources. Additionally, audit running processes and libraries using 'ldd' or similar tools to identify ldns usage and confirm versions in use. Check application logs for DNS resolution errors or unexpected destination changes.

Why prioritize this

This vulnerability merits immediate attention due to its high CVSS score (7.5), ease of exploitation (network-accessible, no authentication required), and broad potential impact on DNS infrastructure trustworthiness. Unlike many DNS flaws requiring specific network conditions, off-path poisoning can succeed in most environments where the attacker shares network access with the resolver. The attack directly compromises integrity of DNS responses, a foundation layer that many security controls depend upon. Organizations running ldns in any resolver capacity should prioritize patching and network-level mitigation immediately.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects: Attack Vector (Network) and Attack Complexity (Low) indicate an attacker anywhere on the network can exploit this without special privileges; Privileges Required (None) and User Interaction (None) mean no user or admin action is needed; Confidentiality impact is None because DNS responses themselves are not encrypted or sensitive; Integrity impact is High because an attacker can inject false DNS responses that applications will trust; and Availability is None because the resolver continues to function—only the accuracy of its responses is compromised. The severity is HIGH because DNS response integrity underpins trust in internet connectivity.

Frequently asked questions

Does this affect DNSSEC-signed domains?

DNSSEC validation would prevent acceptance of unsigned spoofed responses, but only if the application using ldns explicitly validates DNSSEC signatures. Many applications use ldns without DNSSEC validation enabled by default. Additionally, the vulnerability still affects non-DNSSEC domains, which remain prevalent. DNSSEC deployment should be considered a complementary mitigation, not a replacement for patching.

Is the drill tool dangerous if I run it?

The drill diagnostic tool is vulnerable when it queries over UDP and does not validate responses properly. If you use drill to query untrusted DNS servers or in environments where an attacker can inject packets, the tool may accept spoofed responses. For secure operation, drill should be updated to a patched ldns version, and queries should be limited to trusted resolvers.

Can this be exploited across the internet or only on local networks?

This can be exploited across the internet if the attacker can route packets to the vulnerable resolver. While exploitation is easiest on shared networks (WiFi, cloud environments), internet-scale attacks are possible via BGP hijacking, ISP compromise, or CDN-level positioning. The key requirement is that the attacker's spoofed response packet reaches the resolver before the legitimate response does.

What versions of ldns should we use?

Users should consult the official NLnet Labs ldns security advisories and release notes to identify the first patched version after 1.9.0. Do not assume a specific version without verifying against official vendor guidance, as this information must come from the upstream project.

This analysis is provided for informational purposes and does not constitute professional security advice. Patch version numbers and KEV inclusion status must be verified against official NLnet Labs advisories and CISA sources. Organizations should conduct independent risk assessment and testing in their own environments before applying patches. Exploitation details herein are descriptive only and should not be used to develop working exploits. SEC.co and its analysts make no warranties regarding the completeness or accuracy of this assessment beyond the structured vulnerability data provided. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).