{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27831", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.800Z", "datePublished": "2026-02-26T00:11:45.608Z", "dateUpdated": "2026-02-27T15:24:12.727Z"}, "containers": {"cna": {"title": "rldns Vulnerable to Heap-based Out-of-Bounds Read", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/bluedragonsecurity/rldns/security/advisories/GHSA-fv38-45j4-g9x4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bluedragonsecurity/rldns/security/advisories/GHSA-fv38-45j4-g9x4"}, {"name": "https://github.com/bluedragonsecurity/rldns-1.3-heap-out-of-bounds-vulnerability-fixed-in-rldns-1.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/bluedragonsecurity/rldns-1.3-heap-out-of-bounds-vulnerability-fixed-in-rldns-1.4"}, {"name": "https://github.com/bluedragonsecurity/rldns_archives/blob/main/diff/rldns-1.4.diff", "tags": ["x_refsource_MISC"], "url": "https://github.com/bluedragonsecurity/rldns_archives/blob/main/diff/rldns-1.4.diff"}, {"name": "https://medium.com/@w1sdom/heap-based-buffer-over-read-vulnerability-in-rldns-1-3-5da3bccdc031", "tags": ["x_refsource_MISC"], "url": "https://medium.com/@w1sdom/heap-based-buffer-over-read-vulnerability-in-rldns-1-3-5da3bccdc031"}], "affected": [{"vendor": "bluedragonsecurity", "product": "rldns", "versions": [{"version": "= 1.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T15:24:12.727Z"}, "descriptions": [{"lang": "en", "value": "rldns is an open source DNS server. Version 1.3 has a heap-based out-of-bounds read that leads to denial of service. Version 1.4 contains a patch for the issue."}], "source": {"advisory": "GHSA-fv38-45j4-g9x4", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/bluedragonsecurity/rldns/security/advisories/GHSA-fv38-45j4-g9x4", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T15:14:43.983653Z", "id": "CVE-2026-27831", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:14:48.813Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27831", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T15:14:43.983653Z"}}}], "references": [{"url": "https://github.com/bluedragonsecurity/rldns/security/advisories/GHSA-fv38-45j4-g9x4", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:14:37.204Z"}}], "cna": {"title": "rldns Vulnerable to Heap-based Out-of-Bounds Read", "source": {"advisory": "GHSA-fv38-45j4-g9x4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "bluedragonsecurity", "product": "rldns", "versions": [{"status": "affected", "version": "= 1.3"}]}], "references": [{"url": "https://github.com/bluedragonsecurity/rldns/security/advisories/GHSA-fv38-45j4-g9x4", "name": "https://github.com/bluedragonsecurity/rldns/security/advisories/GHSA-fv38-45j4-g9x4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/bluedragonsecurity/rldns-1.3-heap-out-of-bounds-vulnerability-fixed-in-rldns-1.4", "name": "https://github.com/bluedragonsecurity/rldns-1.3-heap-out-of-bounds-vulnerability-fixed-in-rldns-1.4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/bluedragonsecurity/rldns_archives/blob/main/diff/rldns-1.4.diff", "name": "https://github.com/bluedragonsecurity/rldns_archives/blob/main/diff/rldns-1.4.diff", "tags": ["x_refsource_MISC"]}, {"url": "https://medium.com/@w1sdom/heap-based-buffer-over-read-vulnerability-in-rldns-1-3-5da3bccdc031", "name": "https://medium.com/@w1sdom/heap-based-buffer-over-read-vulnerability-in-rldns-1-3-5da3bccdc031", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "rldns is an open source DNS server. Version 2.3 has a heap-based out-of-bounds read that leads to denial of service. Version 1.4 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:11:45.608Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27831", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:14:48.813Z", "dateReserved": "2026-02-24T02:32:39.800Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T00:11:45.608Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "rldns is an open source DNS server. Version 1.3 has a heap-based out-of-bounds read that leads to denial of service. Version 1.4 contains a patch for the issue."}, {"lang": "es", "value": "rldns es un servidor DNS de c\u00f3digo abierto. La versi\u00f3n 2.3 tiene una lectura fuera de l\u00edmites basada en el heap que conduce a denegaci\u00f3n de servicio. La versi\u00f3n 1.4 contiene un parche para el problema."}], "id": "CVE-2026-27831", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T01:16:24.770", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/bluedragonsecurity/rldns-1.3-heap-out-of-bounds-vulnerability-fixed-in-rldns-1.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/bluedragonsecurity/rldns/security/advisories/GHSA-fv38-45j4-g9x4"}, {"source": "security-advisories@github.com", "url": "https://github.com/bluedragonsecurity/rldns_archives/blob/main/diff/rldns-1.4.diff"}, {"source": "security-advisories@github.com", "url": "https://medium.com/@w1sdom/heap-based-buffer-over-read-vulnerability-in-rldns-1-3-5da3bccdc031"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/bluedragonsecurity/rldns/security/advisories/GHSA-fv38-45j4-g9x4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.3,1.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "rldns", "source": "cna", "vendor": "bluedragonsecurity"}, "product": "rldns", "vendor": "bluedragonsecurity"}], "analysis": {"en": {"generated_at": "2026-04-17T14:38:13.259568+00:00", "value": {"mitigation_remediation": ["Upgrade rldns to version\u00a01.4 or later, where the heap read issue has been fixed.", "If upgrading is not immediately possible, replace the vulnerable binary with the patched diff reference\u00a0rldns-1.4.diff\u00a0to apply the fix manually.", "As a temporary operational measure, monitor DNS server uptime and disable the service during unexpected crashes to mitigate service disruption until a full update can be deployed."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected vendor is bluedragonsecurity, product rldns. Version 1.3 of the software is vulnerable. Version 1.4 contains a patch that eliminates the issue. No other product versions are currently listed as affected.", "description_and_impact": "The rldns DNS server version 1.3 contains a heap-based out-of-bounds read that allows an attacker to trigger a service crash, resulting in denial of service. This vulnerability, identified as CWE-125, occurs when the server reads beyond the bounds of a heap buffer, causing memory corruption that terminates the process. If exploited, the server becomes unavailable to legitimate clients, disrupting DNS resolution for connected networks.", "risk_and_exploitability": "The CVSS v3.1 score for this vulnerability is 7.5, indicating high severity. The EPSS score is below 1%, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack is likely remote, triggered by crafted DNS requests that exploit the out-of-bounds read; this inference is drawn from the nature of DNS servers and typical attack vectors for memory corruption flaws. Successful exploitation would cause a denial of service, but does not provide direct code execution or data exfiltration capabilities."}}}}, "created": "2026-02-26T13:10:23.840063+00:00", "updated": "2026-04-17T14:45:21.030244+00:00", "vendors": ["bluedragonsecurity", "bluedragonsecurity$PRODUCT$rldns"]}