microsoft · jslobodzian · Jun 12, 2026 · Jun 11, 2026 · Jun 11, 2026
@@ -0,0 +1,93 @@
+From 06efd4f289d8f5cf68b48479ab8bf8efab508d65 Mon Sep 17 00:00:00 2001
+From: Willem Toorop <willem@nlnetlabs.nl>
+Date: Tue, 2 Jun 2026 12:19:38 +0200
+Subject: [PATCH] Match question from query in response, and...
+
+... error codes for unmatched ID and for QDCOUNT != 1 in both queries and responses
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/NLnetLabs/ldns/commit/9ea51a68d458b43a17ccf4ee98a71325300df524.patch
+---
+ error.c      |  6 ++++++
+ ldns/error.h |  5 ++++-
+ net.c        | 24 ++++++++++++++++++++++++
+ 3 files changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/error.c b/error.c
+index e3fd121..f046c96 100644
+--- a/error.c
++++ b/error.c
+@@ -184,6 +184,12 @@ ldns_lookup_table ldns_error_str[] = {
+ 	{ LDNS_STATUS_INVALID_SVCPARAM_VALUE,
+ 		"Invalid wireformat of a value "
+ 		"in the ServiceParam rdata field of SVCB or HTTPS RR" },
++	{ LDNS_STATUS_ID_DID_NOT_MATCH,
++		"Response ID did not match the query ID" },
++	{ LDNS_STATUS_QDCOUNT_MUST_BE_ONE,
++		"The query section MUST contain exactly one question" },
++	{ LDNS_STATUS_QUERY_DID_NOT_MATCH,
++		"The question in the response did not match the query" },
+ 	{ 0, NULL }
+ };
+
+diff --git a/ldns/error.h b/ldns/error.h
+index 2429b77..5754f5a 100644
+--- a/ldns/error.h
++++ b/ldns/error.h
+@@ -141,7 +141,10 @@ enum ldns_enum_status {
+ 	LDNS_STATUS_RESERVED_SVCPARAM_KEY,
+ 	LDNS_STATUS_NO_SVCPARAM_VALUE_EXPECTED,
+ 	LDNS_STATUS_SVCPARAM_KEY_MORE_THAN_ONCE,
+-	LDNS_STATUS_INVALID_SVCPARAM_VALUE
++	LDNS_STATUS_INVALID_SVCPARAM_VALUE,
++	LDNS_STATUS_ID_DID_NOT_MATCH,
++	LDNS_STATUS_QDCOUNT_MUST_BE_ONE,
++	LDNS_STATUS_QUERY_DID_NOT_MATCH
+ };
+ typedef enum ldns_enum_status ldns_status;
+
+diff --git a/net.c b/net.c
+index 57d4dff..5006128 100644
+--- a/net.c
++++ b/net.c
+@@ -512,6 +512,10 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf
+
+ 	assert(r != NULL);
+
++	/* The query should at least have one question */
++	if(ldns_buffer_limit(qb) < 6 || ldns_buffer_read_u16_at(qb, 4) != 1)
++		return LDNS_STATUS_QDCOUNT_MUST_BE_ONE;
++
+ 	status = LDNS_STATUS_OK;
+ 	rtt = ldns_resolver_rtt(r);
+ 	ns_array = ldns_resolver_nameservers(r);
+@@ -670,6 +674,26 @@ ldns_send_buffer(ldns_pkt **result, ldns_resolver *r, ldns_buffer *qb, ldns_rdf
+ #endif /* HAVE_SSL */
+
+ 	LDNS_FREE(reply_bytes);
++	if (reply) {
++		ldns_pkt *query = NULL;
++
++		if(ldns_pkt_qdcount(reply) != 1) {
++			status = LDNS_STATUS_QDCOUNT_MUST_BE_ONE;
++			ldns_pkt_free(reply);
++			reply = NULL;
++
++		} else if(ldns_wire2pkt(&query
++				, ldns_buffer_begin(qb)
++				, ldns_buffer_position(qb)) != LDNS_STATUS_OK
++		|| ldns_pkt_qdcount(query) != 1
++		|| ldns_rr_compare(ldns_rr_list_rr(ldns_pkt_question(query),0)
++		                  ,ldns_rr_list_rr(ldns_pkt_question(reply),0))) {
++			status = LDNS_STATUS_QUERY_DID_NOT_MATCH;
++			ldns_pkt_free(reply);
++			reply = NULL;
++		}
++		ldns_pkt_free(query);
++	}
+ 	if (result) {
+ 		*result = reply;
+ 	}
+-- 
+2.45.4
+
@@ -31,7 +31,7 @@
 Summary:        Low-level DNS(SEC) library with API
 Name:           ldns
 Version:        1.8.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -41,6 +41,7 @@ Source0:        http://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar
 
 Patch1:         ldns-swig-4.2.patch
 Patch2:         fix-intermittent-build-failure-with-milti-job-build.patch
+Patch3:         CVE-2026-10846.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -279,6 +280,9 @@ rm -rf doc/man
 %doc doc
 
 %changelog
+* Thu Jun 11 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.8.3-3
+- Patch for CVE-2026-10846
+
 * Tue Feb 25 2025 Tobias Brick <tobiasb@microsoft.com> - 1.8.3-2
 - Patch to fix multi-job builds.
 - Also removed comment that caused rpmbuild warning.