Bug 2458521 (CVE-2026-5172)

Summary: CVE-2026-5172 dnsmasq: extract_addresses() OOB read via malformed rdlen
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rhel-process-autobot, security-response-team, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A heap out-of-bounds read vulnerability was discovered in dnsmasq's DNS response processing. The extract_addresses() function trusts the declared record data length (rdlen) without verifying that a subsequent call to extract_name() stays within the record boundary. A crafted DNS response with a mismatched rdlen causes the remaining-bytes calculation to underflow, resulting in a massive out-of-bounds read and process crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-05-09   

Description OSIDB Bzimport 2026-04-14 22:59:51 UTC 
In extract_addresses() at rfc1035.c:943, the rdlen field of an RR is trusted without verification. When extract_name() is called on the record's data, it can advance p1 past the calculated end of the record (endrr). The subsequent calculation of remaining bytes (endrr - p1) underflows to a huge unsigned value, causing a massive heap OOB read and certain crash. Fix: add p1 > endrr check after the extract_name() call.
Comment 2 errata-xmlrpc 2026-05-19 16:10:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19158 https://access.redhat.com/errata/RHSA-2026:19158