← back
CVE-2026-12725

Dnsmasq: dnsmasq: heap buffer overflow in log_query() when logging unsupported ds/dnskey replies

CVSS 5.9 MEDIUMEPSS 0.4%CWE-122
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.9EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
22 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →