CVE-2026-10846 - High Severity Vulnerability
Vulnerable Library - freebsd-srcrelease/15.0.0-p7
The FreeBSD src tree publish-only repository. Experimenting with 'simple' pull requests....
Library home page: https://github.com/freebsd/freebsd-src.git
Found in base branches: stable/4.0, master
Vulnerable Source Files (1)
Vulnerability Details
NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the query ID, neither the question of the query is matched with that of the response. This makes applications, that use ldns for (stub) resolver functionality over UDP, vulnerable for off-path poisoning attacks. The drill tool, which is shipped with ldns, suffers from this vulnerability.
Publish Date: 2026-06-10
URL: CVE-2026-10846
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-10
Fix Resolution: https://github.com/NLnetLabs/ldns.git - 1.9.1
Step up your Open Source Security Game with Mend here
CVE-2026-10846 - High Severity Vulnerability
The FreeBSD src tree publish-only repository. Experimenting with 'simple' pull requests....
Library home page: https://github.com/freebsd/freebsd-src.git
Found in base branches: stable/4.0, master
NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the query ID, neither the question of the query is matched with that of the response. This makes applications, that use ldns for (stub) resolver functionality over UDP, vulnerable for off-path poisoning attacks. The drill tool, which is shipped with ldns, suffers from this vulnerability.
Publish Date: 2026-06-10
URL: CVE-2026-10846
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-06-10
Fix Resolution: https://github.com/NLnetLabs/ldns.git - 1.9.1
Step up your Open Source Security Game with Mend here