Bug 2490763 (CVE-2026-12725) - CVE-2026-12725 dnsmasq: dnsmasq: heap buffer overflow in log_query() when logging unsupported DS/DNSKEY replies
Summary: CVE-2026-12725 dnsmasq: dnsmasq: heap buffer overflow in log_query() when log...
Keywords:
Status: NEW
Alias: CVE-2026-12725
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-19 14:44 UTC by OSIDB Bzimport
Modified: 2026-06-22 13:42 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-19 14:44:48 UTC
A heap buffer overflow exists in dnsmasq's log_query() function (src/cache.c).
When query logging is enabled and dnsmasq logs DS or DNSKEY replies containing
unsupported algorithm or digest types, the "(not supported)" suffix causes
sprintf() to write past the end of daemon->addrbuff, a 46-byte heap buffer.
Trigger example: a DS record with key_tag=65535, algorithm=255, digest_type=255
(both algorithm 255 and digest_type 255 are IANA-unassigned), causing the
"(not supported)" branch in dnssec.c to fire during logging.
Prerequisites:
- DNSSEC validation enabled
- Query logging enabled (e.g. --log-queries)
Impact: bounded heap write overflow (~12 bytes). Upstream maintainer Simon Kelley
notes the overwrite is of bounded length, the bytes written are not
attacker-controlled, and this is not considered a likely remote-execution vector.
Practical impact is denial of service via process crash or heap corruption.
Fixed upstream in commit 36d081e37477027fd721fea498f3760f529034ad (dnsmasq 2.92rel2).


Note You need to log in before you can comment on or make changes to this bug.