- Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan

  Zhang, Palo Alto Networks, for the report.

diff --git a/doc/Changelog b/doc/Changelog
index 614e92ed68f455dda633333ca8527a3cce60b333..66895692d4bff0095d07c37bcf9255516a6ba64f 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -8,6 +8,8 @@
          content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
        - Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew
          Griffiths from 'calif.io' for the report.
+       - Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan
+         Zhang, Palo Alto Networks, for the report.
 
 23 April 2026: Wouter
        - Merge #1441: Fix buffer overrun in

diff --git a/services/cache/rrset.c b/services/cache/rrset.c
index c1716a565783576809402f56eef592b237da7ede..ab4f4c8e0afc547d0fadb9bd6862124ea96f963e 100644 (file)
--- a/services/cache/rrset.c
+++ b/services/cache/rrset.c
@@ -149,6 +149,16 @@ need_to_update_rrset(void* nd, void* cd, time_t timenow, int equal, int ns)
                if(equal && !TTL_IS_EXPIRED(cached->ttl, timenow) &&
                        cached->security == sec_status_bogus)
                        return 0;
+               /* ghost-domain: never let an NS overwrite extend lifetime
+                * past the entry it replaces, regardless of trust. */
+               if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) &&
+                       newd->ttl > cached->ttl) {
+                       size_t i;
+                       newd->ttl = cached->ttl;
+                       for(i=0; i<(newd->count+newd->rrsig_count); i++)
+                               if(newd->rr_ttl[i] > newd->ttl)
+                                       newd->rr_ttl[i] = newd->ttl;
+               }
                 return 1;
        }
        /*      o item in cache has expired */