CVE-2026-12725
MEDIUM 5.9A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.
No known exploitation, public exploit, or elevated probability at this time. Track for changes.
Exploitation likelihood
0.4%chance of exploitation in 30 days · 32nd percentile
Impact if exploited
5.9CVSS 3.1 · MEDIUM
- ConfidentialityNone
- IntegrityNone
- AvailabilityHigh
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ⚠Complexity: Needs a race window or specific setup
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Vendors Red Hat
Products Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9 Red Hat Openshift Container Platform 4
Weakness (CWE)
- CWE-122
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H