CVE-2026-27831
Published: 26 February 2026
Summary
CVE-2026-27831 is a high-severity Out-of-bounds Read (CWE-125) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-27831 is a heap-based out-of-bounds read vulnerability (CWE-125) affecting rldns, an open source DNS server. The issue exists in version 1.3, where improper bounds checking during memory access leads to a denial of service condition. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for remote disruption without authentication or user interaction.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity by sending a specially crafted DNS query to the rldns server running version 1.3. Successful exploitation triggers the out-of-bounds read on the heap, causing the server process to crash and resulting in a denial of service that disrupts DNS resolution services for affected systems.
Advisories from the rldns GitHub security page (GHSA-fv38-45j4-g9x4) and related analyses confirm that version 1.4 includes a patch addressing the heap out-of-bounds read. Security practitioners should upgrade to rldns 1.4 or later, with patch details available in the provided diff file and advisory reports.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8787
Vulnerability details
rldns is an open source DNS server. Version 1.3 has a heap-based out-of-bounds read that leads to denial of service. Version 1.4 contains a patch for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated heap OOB read in public-facing DNS server directly enables T1190 (exploiting public-facing app over network) to achieve T1499.004 (application crash/DoS via crafted query).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the heap-based out-of-bounds read by requiring timely identification, reporting, and patching of the flaw as fixed in rldns version 1.4.
Addresses the root cause of improper bounds checking on crafted DNS queries by enforcing validation of all information inputs to the DNS server.
Provides system-level memory protections such as heap hardening and randomization to mitigate the impact of out-of-bounds reads on the DNS server process.