An out-of-bounds read vulnerability was found in dnsmasq's find_soa() function in src/rfc1035.c. The function calls extract_name() with extrabytes=0 when parsing NS section records in NXDOMAIN/NODATA responses, which only validates that the DNS name fits within the packet but does not verify that 10 additional bytes exist for the fixed-length fields (type, class, TTL, rdlen). The subsequent GETSHORT/GETLONG macros then unconditionally read 10 bytes past the valid packet boundary.

An attacker controlling a DNS zone can trigger this by returning a crafted NXDOMAIN response where the NS record name (a compression pointer) extends to the packet boundary. The 10-byte over-read typically stays within dnsmasq's over-allocated packet buffer (headroom of 1035 bytes), limiting crash risk, but accesses data outside the logical packet boundary and may read stale heap data from prior DNS transactions.

Upstream fix: https://repo.or.cz/dnsmasq.mirror.git/commit/14094e88beca519c53151184cc4553656672b54f Fixed in: dnsmasq 2.93rc1