Skip to main content

dnsmasq CVE-2026-12725

| EUVDEUVD-2026-38278 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-06-22 redhat GHSA-hv63-qc47-8j8h
5.9
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.9 MEDIUM

AC:H reflects the non-default dual-configuration gate (DNSSEC + logging); AV:N captures network-delivered DNS response; A:H reflects full process crash; C:N/I:N confirmed by DoS-only impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.9 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 22, 2026 - 16:01 vuln.today
CVE Published
Jun 22, 2026 - 13:55 cve.org
MEDIUM 5.9

DescriptionCVE.org

A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.

AnalysisAI

Heap-based buffer overflow in dnsmasq's DNSSEC logging path enables remote denial of service against instances where both DNSSEC validation and query logging are simultaneously enabled. When dnsmasq receives a DS or DNSKEY DNS response containing an algorithm or digest type it does not recognize, its logging routine writes past the end of an internal heap-allocated buffer, corrupting memory and crashing the process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify dnsmasq with DNSSEC validation and logging both enabled
Delivery
Gain control of or spoof an authoritative DNS response
Exploit
Craft DS or DNSKEY record with unsupported algorithm or digest type
Execution
Deliver response to target dnsmasq resolver
Persist
Trigger heap overflow in logging path
Impact
Crash dnsmasq process, disrupting DNS and DHCP for dependent clients

Vulnerability AssessmentAI

Exploitation Exploitation requires the target dnsmasq instance to have BOTH the `dnssec` option (DNSSEC validation) AND the `log-queries` option (query logging) explicitly enabled in dnsmasq.conf - neither is active in default dnsmasq configurations, which significantly limits the exposed population. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.9 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H is well-calibrated to the described vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a malicious authoritative DNS server for a delegated zone - or capable of injecting DNS responses via cache poisoning or network interception - crafts a DNSKEY or DS record containing an algorithm or digest identifier not supported by the target dnsmasq build. When a vulnerable dnsmasq instance with both DNSSEC validation and query logging enabled resolves a name in that zone, it receives the crafted response, attempts to log the unsupported record, overflows the internal heap logging buffer, and crashes - taking down DNS and DHCP services for all clients dependent on that dnsmasq instance. …
Remediation Apply vendor-released patches from Red Hat via the security advisory at https://access.redhat.com/security/cve/CVE-2026-12725; exact fixed package versions are not independently confirmed from available data and should be verified directly in the advisory and tracking bug at https://bugzilla.redhat.com/show_bug.cgi?id=2490763. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-12725 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy