CVE-2026-12725
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk33th percentile — higher than 33% of all known CVEs
Summary
A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.
Risk Assessment
The risk is that a remote attacker can crash the DNS service, causing network disruption and affecting applications that depend on name resolution.
Recommendation
It is recommended to immediately update dnsmasq to the latest patched version. As a temporary workaround, disable DNSSEC validation or query logging if not essential.
Original NVD description (English source)
A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.

