From 94d5babaee22a016e376bdcfee2b9bb40360367c Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Wed, 20 May 2026 10:14:32 +0200
Subject: [PATCH] - Fix CVE-2026-42959, Crash during DNSSEC validation of
 malicious   content. Thanks to Qifan Zhang, Palo Alto Networks, for the
 report.

---
 doc/Changelog         | 2 ++
 validator/val_utils.c | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/doc/Changelog b/doc/Changelog
index e003ed3fe..d8ef6ee82 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -4,6 +4,8 @@
 	- Fix CVE-2026-42944, Heap overflow and crash with multiple nsid,
 	  cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto
 	  Networks, for the report.
+	- Fix CVE-2026-42959, Crash during DNSSEC validation of malicious
+	  content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
 
 23 April 2026: Wouter
 	- Merge #1441: Fix buffer overrun in
diff --git a/validator/val_utils.c b/validator/val_utils.c
index 411a63b25..8e4c91900 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -1066,10 +1066,10 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
 			if(query_dname_compare(name, 
 				orig->rrsets[i]->rk.dname) == 0)
 			    chase->rrsets[chase->an_numrrsets
-				+orig->ns_numrrsets+chase->ar_numrrsets++] 
+				+chase->ns_numrrsets+chase->ar_numrrsets++]
 				= orig->rrsets[i];
 		} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
-			chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
+			chase->rrsets[chase->an_numrrsets+chase->ns_numrrsets+
 				chase->ar_numrrsets++] = orig->rrsets[i];
 		}
 	}
-- 
2.47.3