cvedb.io
CVE-2026-10846
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-06-10T07:16:24.443 · Last modified 2026-06-17T14:07:53.217

Summary

NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the query ID, neither the question of the query is matched with that of the response. This makes applications, that use ldns for (stub) resolver functionality over UDP, vulnerable for off-path poisoning attacks. The drill tool, which is shipped with ldns, suffers from this vulnerability.

Affected products

nlnetlabs — ldns

Does this affect you?

Add your gear to cvedb and we'll alert you only when nlnetlabs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.