Impact
An out‑of‑bounds read exists in dnsmasq’s find_soa() function. During parsing of NS section records, the extract_name() routine is supplied with extrabytes=0, which allows it to read up to ten bytes beyond the end of the buffer. When a remote attacker controls the contents of a DNS zone, it can induce dnsmasq to process a specially crafted NXDOMAIN response that triggers the unchecked read, potentially exposing stale data from prior transactions. This vulnerability is classified as CWE‑125 (Out‑of‑Bounds Read).
Affected Systems
The flaw affects Red Hat Enterprise Linux 6–10, Red Hat OpenShift Container Platform 4, and all distributions that ship with dnsmasq before version 2.93rc1. The advisory does not list specific minor revisions, but any instance running a pre‑2.93rc1 build that is exposed to untrusted DNS zones is vulnerable. The remedy is to upgrade dnsmasq to 2.93rc1 or newer. A workaround is not available that meets Red Hat’s security criteria; therefore, the only viable mitigation is the firmware update.
Risk and Exploitability
With a CVSS score of 5.3 the vulnerability is considered of medium severity. No EPSS score is available, and it is not listed in CISA’s KEV catalogue, suggesting no public exploit is known. Nonetheless, exploitation requires control over the DNS zone served by the vulnerable dnsmasq instance, which can be achieved by an attacker who is able to delegate or modify the zone. Compromising the zone then allows the attacker to trigger the out‑of‑bounds read and potentially discover sensitive data. Security teams should treat this as a risk that depends on their exposure to zone authorisation, and apply the official patch promptly to eliminate the vulnerability.
OpenCVE Enrichment