dnsmasq < 2.93 Heap-Based Buffer Overflow (CVE-2026-12725)

medium Nessus Plugin ID 325896

Synopsis

The remote DNS / DHCP service is affected by a heap-based buffer overflow vulnerability.

Description

The version of dnsmasq installed on the remote host is prior to 2.93. It is, therefore, affected by a heap-based buffer overflow vulnerability. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to dnsmasq 2.93 or later.

See Also

https://access.redhat.com/security/cve/CVE-2026-12725

http://www.thekelleys.org.uk/dnsmasq/CHANGELOG

Plugin Details

Severity: Medium

ID: 325896

File Name: dnsmasq_2_93.nasl

Version: 1.2

Type: Remote

Family: DNS

Published: 7/9/2026

Updated: 7/10/2026

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.72

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-12725

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:thekelleys:dnsmasq

Required KB Items: dns_server/version, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 6/4/2026

Vulnerability Publication Date: 6/22/2026

Reference Information

CVE: CVE-2026-12725