Skip to main content

dnsmasq CVE-2026-12969

| EUVDEUVD-2026-38449 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-23 redhat GHSA-wmwj-946w-3m8w
5.3
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network delivery via DNS response, no victim-side auth needed, only low confidentiality impact from bounded heap read; no integrity or availability effect described.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Red Hat
5.3 LOW
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 23, 2026 - 14:16 vuln.today
CVE Published
Jun 23, 2026 - 13:28 cve.org
MEDIUM 5.3

DescriptionCVE.org

An out-of-bounds read vulnerability exists in dnsmasq's find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can exploit this via a crafted NXDOMAIN response to cause a 10-byte heap out-of-bounds read, potentially accessing stale data from prior transactions.

AnalysisAI

Heap out-of-bounds read in dnsmasq's find_soa() function allows a remote attacker controlling a DNS zone to leak up to 10 bytes of stale heap memory by serving a crafted NXDOMAIN response. The flaw exists because extract_name() is invoked with extrabytes=0 when parsing NS section records, skipping the mandatory boundary check for the 10-byte fixed-length DNS record trailer fields. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Control authoritative DNS zone
Delivery
Induce victim dnsmasq to query attacker-controlled domain
Exploit
Respond with crafted NXDOMAIN containing malformed NS record
Execution
Trigger extract_name() with extrabytes=0 in find_soa()
Persist
10-byte heap out-of-bounds read occurs
Impact
Stale heap data disclosed to attacker

Vulnerability AssessmentAI

Exploitation The victim host must run dnsmasq as a DNS forwarder or recursive resolver and must issue a query for a domain name for which the attacker serves as the authoritative name server (or can inject a spoofed DNS response). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N accurately reflects the limited impact: only a 10-byte heap read with no write primitive and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises an authoritative DNS zone and waits for a target host running dnsmasq to query a name within that zone. The attacker's DNS server responds with a crafted NXDOMAIN message whose NS section contains a resource record with the domain name positioned such that the 10-byte fixed-length trailer falls outside the message buffer boundary. …
Remediation Monitor the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-12969 and apply the updated dnsmasq package for your RHEL or OpenShift release as soon as it becomes available; no specific fixed version number has been confirmed from the provided data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-12969 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy