HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10846Published Modified CNA NLnet Labs

CVE-2026-10846: Insufficient verification that responses belong to a query

NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the query ID, neither the question of the query is matched with that of the response. This makes applications, that use ldns for (stub) resolver functionality over UDP, vulnerable for off-path poisoning attacks. The drill tool, which is shipped with ldns, suffers from this vulnerability.

Metrics

CVSS v4.0
8.2
Severity
HIGH
Fixed in
1.9.1
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a DNS response validation bypass in NLnet Labs ldns, a DNS library used as a stub resolver over UDP. The flaw is reachable over the network with no authentication required, and stems from ldns failing to verify that a DNS response matches its originating query by checking the source address, source port, query ID, or question section. A successful off-path attacker can inject forged DNS responses, causing applications using ldns for resolution to cache and act on attacker-controlled records, enabling DNS cache poisoning. A patched-image rebuild at version 1.9.1 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-10846 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that vendor or bundle ldns versions 1.2.0 through 1.9.0.

Available
Triage

HarborGuard scores this CVE at 8.2 HIGH per CVSS v4.0, and triage is capable of weighting that score against each environment's compliance policy to surface appropriate urgency. Findings are routed to the relevant team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at ldns 1.9.1 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to send UDP packets to the resolving application over the network; no local or physical access is needed.

  • AuthenticationNot required

    No authentication or existing account is needed; the attack is available to any off-path network actor.

  • Victim interactionNot required

    No user action is required; the application's normal DNS resolution process is sufficient to trigger the vulnerable code path.

  • Attack complexityDetail

    Base exploit logic is condition-free and reliable, though the CVSS AT:P token indicates that a specific deployment condition (the application performing UDP-based stub resolution) must be present for the attack to succeed.

Blast Radius

  • An attacker poisons the DNS resolution cache used by the affected application, redirecting domain lookups to attacker-controlled IP addresses.
  • Traffic intended for legitimate services is silently rerouted, enabling interception or manipulation of application-layer connections built on those lookups.
  • The drill tool shipped with ldns is directly affected, so any tooling or scripts that invoke drill for DNS queries are exposed to the same poisoning risk.

How HarborGuard Handles This

Available on HarborGuard: images containing ldns 1.2.0 through 1.9.0 are matched against this CVE automatically at each ingest cycle, with results visible in each customer's vulnerability dashboard. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding affected images at ldns 1.9.1, executing configured regression tests, and opening a PR against the affected workload repositories. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not yet enabled, or where compliance policy requires manual review, the dashboard surfaces the affected images with the fix version and component path so engineers can act directly. Where network policy controls are available, isolating services that perform UDP-based DNS resolution to restrict unexpected inbound UDP traffic on port 53 can reduce exposure until a rebuilt image is deployed.

See how HarborGuard automates this

Fix available

1.9.1
Affected packages
  • NLnet Labs / ldns
    < 1.9.1 (from 1.2.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
References