CVE-2026-12725
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-122: Heap-based Buffer Overflow
Workarounds
Mitigate this issue by updating to a version of dnsmasq that includes the upstream fix (commit 36d081e37477027fd721fea498f3760f529034ad), or by disabling query logging if DNSSEC validation must remain enabled. After changing the configuration, restart the dnsmasq service for the changes to take effect.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/security/cve/CVE-2026-12725
- https://bugzilla.redhat.com/show_bug.cgi?id=2490763
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.