- Fix CVE-2026-42960, Possible cache poisoning attack while following

  delegation. Thanks to TaoFei Guo from Peking University, Yang Luo
  and JianJun Chen, Tsinghua University, for the report.

diff --git a/doc/Changelog b/doc/Changelog
index 4822075f9327588a8aa7d181c5b4e66f4f1f0e56..eb59a1a73fd818f450b449b8d2b57eb457e966ef 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -19,6 +19,9 @@
        - Fix CVE-2026-42923, Degradation of service with unbounded NSEC3
          hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for
          the report.
+       - Fix CVE-2026-42960, Possible cache poisoning attack while following
+         delegation. Thanks to TaoFei Guo from Peking University, Yang Luo
+         and JianJun Chen, Tsinghua University, for the report.
 
 23 April 2026: Wouter
        - Merge #1441: Fix buffer overrun in

diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index 37c4150cd2ddf82b833c8e27068ca0583bd8b11c..74a2586402cb76d36dc36525a8402cfe468481e4 100644 (file)
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -777,7 +777,13 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
                        rrset->rrset_all_next = NULL;
                        return 1;
                }
-               mark_additional_rrset(pkt, msg, rrset);
+               /* Only mark glue as allowed for type NS in the authority
+                * section. Other RR types do not get glue for them, it
+                * is allowed from the answer section, but not authority
+                * so that a message can not have address records cached
+                * as a side effect to the query. */
+               if(rrset->type==LDNS_RR_TYPE_NS)
+                       mark_additional_rrset(pkt, msg, rrset);
                prev = rrset;
                rrset = rrset->rrset_all_next;
        }