CVE-2026-12725
Received Received - Intake
Heap-based Buffer Overflow in Dnsmasq with DNSSEC Validation

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: Red Hat, Inc.

Description
A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-12725
EUVD
EUVD-2026-38278
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
the_isc dnsmasq 2.92rel2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12725 is a heap-based buffer overflow vulnerability found in dnsmasq's log_query() function. It occurs when both DNSSEC validation and query logging are enabled, and dnsmasq attempts to log DS or DNSKEY replies that contain unsupported algorithm or digest types.

The vulnerability arises because the string "(not supported)" written by sprintf() exceeds the size of a 46-byte heap buffer (daemon->addrbuff), causing a bounded heap write overflow of about 12 bytes.

While the overflow is limited in size and does not allow attacker-controlled bytes, it can cause the dnsmasq process to crash or lead to heap corruption.

Impact Analysis

This vulnerability can cause the dnsmasq process to crash, resulting in a denial of service (DoS).

Since the overflow is limited and does not allow remote code execution, the main impact is service disruption rather than compromise of confidentiality or integrity.

Detection Guidance

This vulnerability occurs when dnsmasq has both DNSSEC validation and query logging enabled, and it processes DS or DNSKEY replies containing unsupported algorithm or digest types. Detection involves checking if dnsmasq is configured with these features enabled.

You can verify if dnsmasq is running with query logging enabled by inspecting its configuration or running processes.

  • Check dnsmasq configuration files (e.g., /etc/dnsmasq.conf) for options like 'log-queries' and DNSSEC validation settings.
  • Use commands such as: `ps aux | grep dnsmasq` to see running parameters.
  • Monitor system logs for dnsmasq crashes or heap corruption messages which may indicate exploitation attempts.
  • Capture and analyze DNS traffic to identify DS or DNSKEY replies with unsupported algorithm or digest types using tools like tcpdump or Wireshark.
Mitigation Strategies

To mitigate this vulnerability, you should update dnsmasq to a version that includes the fix, specifically version 2.92rel2 or later where the issue has been resolved.

If immediate update is not possible, consider disabling either DNSSEC validation or query logging to prevent triggering the vulnerable code path.

Monitor dnsmasq processes for crashes and avoid processing DNS responses with unsupported algorithm or digest types if possible.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12725. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart