PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10846 NLnet Labs CVE debrief

CVE-2026-10846 is a HIGH-severity vulnerability in NLnet Labs ldns, a DNS library used for DNS resolution. Versions 1.2.0 through 1.9.0 are affected when used as a (stub) resolver over UDP. The vulnerability allows for off-path poisoning attacks due to a lack of matching between query and response source addresses, ports, query IDs, and questions.

Vendor
NLnet Labs
Product
ldns
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-10
Advisory published
2026-06-10
Advisory updated
2026-06-10

Who should care

Developers and administrators using NLnet Labs ldns for DNS resolution in their applications, especially those using it as a (stub) resolver over UDP, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability exists in NLnet Labs ldns versions 1.2.0 through 1.9.0. When used as a (stub) resolver over UDP, ldns does not properly match the query destination address and port with the response source address and port. Additionally, it does not match the query ID or the question of the query with that of the response. This oversight makes applications using ldns for (stub) resolver functionality over UDP vulnerable to off-path poisoning attacks. The drill tool, which is shipped with ldns, is also affected by this vulnerability.

Defensive priority

HIGH

Recommended defensive actions

  • Update to a version of ldns that is not vulnerable (e.g., version 1.9.1 or later).
  • Use ldns with TCP instead of UDP if possible.
  • Implement additional validation and verification of DNS responses in applications using ldns.

Evidence notes

The CVE-2026-10846 vulnerability was published on [cve-org] and detailed information can be found at [nvd]. Additional references include [ref-4] and [ref-5].

Official resources

CVE-2026-10846 was published on 2026-06-10T07:16:24.443Z and modified on 2026-06-10T20:13:47.847Z.