CVE-2026-12725
MEDIUMDnsmasq: dnsmasq: heap buffer overflow in log_query() when logging unsupported ds/dnskey replies
Title source: cnaDescription
A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.
References (2)
Core 2
Core References
Vdb Entry, X_Refsource_Redhat vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-12725
Issue Tracking, X_Refsource_Redhat issue-tracking
x_refsource_redhat
RHBZ#2490763
https://bugzilla.redhat.com/show_bug.cgi?id=2490763
Scores
CVSS v3
5.9
EPSS
0.0040
EPSS Percentile
32.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-122
Status
published
Products (11)
Red Hat/Red Hat Enterprise Linux 10
Red Hat/Red Hat Enterprise Linux 6
Red Hat/Red Hat Enterprise Linux 7
Red Hat/Red Hat Enterprise Linux 8
Red Hat/Red Hat Enterprise Linux 9
Red Hat/Red Hat OpenShift Container Platform 4
redhat/enterprise_linux
8.0
redhat/enterprise_linux
9.0
redhat/enterprise_linux
10.0
redhat/openshift_container_platform
4.0 - 4.22.1
... and 1 more
Published
Jun 22, 2026
Tracked Since
Jun 22, 2026