Description
An out-of-bounds read vulnerability exists in dnsmasq's find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can exploit this via a crafted NXDOMAIN response to cause a 10-byte heap out-of-bounds read, potentially accessing stale data from prior transactions.
Published: 2026-06-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read exists in dnsmasq’s find_soa() function. During parsing of NS section records, the extract_name() routine is supplied with extrabytes=0, which allows it to read up to ten bytes beyond the end of the buffer. When a remote attacker controls the contents of a DNS zone, it can induce dnsmasq to process a specially crafted NXDOMAIN response that triggers the unchecked read, potentially exposing stale data from prior transactions. This vulnerability is classified as CWE‑125 (Out‑of‑Bounds Read).

Affected Systems

The flaw affects Red Hat Enterprise Linux 6–10, Red Hat OpenShift Container Platform 4, and all distributions that ship with dnsmasq before version 2.93rc1. The advisory does not list specific minor revisions, but any instance running a pre‑2.93rc1 build that is exposed to untrusted DNS zones is vulnerable. The remedy is to upgrade dnsmasq to 2.93rc1 or newer. A workaround is not available that meets Red Hat’s security criteria; therefore, the only viable mitigation is the firmware update.

Risk and Exploitability

With a CVSS score of 5.3 the vulnerability is considered of medium severity. No EPSS score is available, and it is not listed in CISA’s KEV catalogue, suggesting no public exploit is known. Nonetheless, exploitation requires control over the DNS zone served by the vulnerable dnsmasq instance, which can be achieved by an attacker who is able to delegate or modify the zone. Compromising the zone then allows the attacker to trigger the out‑of‑bounds read and potentially discover sensitive data. Security teams should treat this as a risk that depends on their exposure to zone authorisation, and apply the official patch promptly to eliminate the vulnerability.

Generated by OpenCVE AI on June 24, 2026 at 11:57 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. The fix is available in dnsmasq 2.93rc1 and later.


OpenCVE Recommended Actions

  • Upgrade dnsmasq to version 2.93rc1 or later.
  • Restrict dnsmasq to serve only trusted zones and remove uncontrolled zone delegation.
  • Enforce network segmentation and firewall rules to limit exposure of dnsmasq to untrusted clients.

Generated by OpenCVE AI on June 24, 2026 at 11:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Dnsmasq
Dnsmasq dnsmasq
Redhat openshift Container Platform
Vendors & Products Dnsmasq
Dnsmasq dnsmasq
Redhat openshift Container Platform

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description An out-of-bounds read vulnerability exists in dnsmasq's find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can exploit this via a crafted NXDOMAIN response to cause a 10-byte heap out-of-bounds read, potentially accessing stale data from prior transactions.
Title Dnsmasq: dnsmasq: out-of-bounds read in find_soa() due to missing extrabytes validation
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-125
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Dnsmasq Dnsmasq
Redhat Enterprise Linux Openshift Openshift Container Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-23T15:04:49.622Z

Reserved: 2026-06-23T09:25:06.270Z

Link: CVE-2026-12969

cve-icon Vulnrichment

Updated: 2026-06-23T15:02:27.275Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:06:07Z

Weaknesses