CVE Catalog

CVE-2026-12725

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.41%

33th percentile — higher than 33% of all known CVEs

Summary

A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.

Risk Assessment

The risk is that a remote attacker can crash the DNS service, causing network disruption and affecting applications that depend on name resolution.

Recommendation

It is recommended to immediately update dnsmasq to the latest patched version. As a temporary workaround, disable DNSSEC validation or query logging if not essential.

Original NVD description (English source)

A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS