Bug 2406466 (CVE-2025-12198)

Summary: CVE-2025-12198 dnsmasq: dnsmasq Config File util.c parse_hex heap-based overflow
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: pemensik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A heap-based buffer overflow vulnerability in dnsmasq within the parse_hex() function of src/util.c. When parsing malformed DHCP option values in configuration files, dnsmasq miscalculates the output length and writes beyond the allocated heap buffer. This can cause a crash (Denial of Service) and, in some cases, memory corruption that may enable arbitrary code execution. The flaw is triggered during configuration parsing, so an attacker who can supply or modify the dnsmasq configuration file could exploit it.
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-11-09 11:12:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2406485, 2406486    
Bug Blocks:    

Description OSIDB Bzimport 2025-10-27 02:01:46 UTC
A vulnerability has been found in dnsmasq up to 2.73rc6. Affected is the function parse_hex of the file src/util.c of the component Config File Handler. The manipulation of the argument i leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Comment 2 Petr Menšík 2025-11-09 11:10:15 UTC
This was marked as rejected: https://www.cve.org/CVERecord?id=CVE-2025-12198

Please mark it so in all remaining products. There is nothing to fix in dnsmasq.

Comment 3 Red Hat Bugzilla 2026-05-13 04:25:06 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days or the product is inactive and locked