CVE-2026-12725 PUBLISHED

Dnsmasq: dnsmasq: heap buffer overflow in log_query() when logging unsupported ds/dnskey replies

Assigner: redhat
Reserved: 19.06.2026 Published: 22.06.2026 Updated: 22.06.2026

A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 5.9

Product Status

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 6
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 7
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 8
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 9
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: affected

Workarounds

Mitigate this issue by updating to a version of dnsmasq that includes the upstream fix (commit 36d081e37477027fd721fea498f3760f529034ad), or by disabling query logging if DNSSEC validation must remain enabled. After changing the configuration, restart the dnsmasq service for the changes to take effect.

Credits

  • Red Hat would like to thank Yiwei Hou (UC Berkeley) for reporting this issue.

References

Problem Types

  • Heap-based Buffer Overflow CWE