- Fix CVE-2026-42959, Crash during DNSSEC validation of malicious

  content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

diff --git a/doc/Changelog b/doc/Changelog
index e003ed3fe784042cb3be9cfa9b1f672d9e3ab646..d8ef6ee822bf411ab85d2e39797daad8f61fc901 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -4,6 +4,8 @@
        - Fix CVE-2026-42944, Heap overflow and crash with multiple nsid,
          cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto
          Networks, for the report.
+       - Fix CVE-2026-42959, Crash during DNSSEC validation of malicious
+         content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
 
 23 April 2026: Wouter
        - Merge #1441: Fix buffer overrun in

diff --git a/validator/val_utils.c b/validator/val_utils.c
index 411a63b25c5b53e7ba9aeae90ca486594cccf38b..8e4c9190043d08fe10f50bd3ab464c949a51fc83 100644 (file)
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -1066,10 +1066,10 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
                        if(query_dname_compare(name, 
                                orig->rrsets[i]->rk.dname) == 0)
                            chase->rrsets[chase->an_numrrsets
-                               +orig->ns_numrrsets+chase->ar_numrrsets++] 
+                               +chase->ns_numrrsets+chase->ar_numrrsets++]
                                = orig->rrsets[i];
                } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
-                       chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
+                       chase->rrsets[chase->an_numrrsets+chase->ns_numrrsets+
                                chase->ar_numrrsets++] = orig->rrsets[i];
                }
        }