CVE-2026-1425 - Vulnerability Details

- pymumu SmartDNS SVBC Record dns.c _dns_decode_SVCB_HTTPS stack-based overflow

Description

A security flaw has been discovered in pymumu SmartDNS up to 47.1. This vulnerability affects the function _dns_decode_rr_head/_dns_decode_SVCB_HTTPS of the file src/dns.c of the component SVBC Record Parser. The manipulation results in stack-based buffer overflow. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is stated that the exploitability is difficult. The patch is identified as 2d57c4b4e1add9b4537aeb403f794a084727e1c8. Applying a patch is advised to resolve this issue.

Published: 2026-01-26

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A stack-based buffer overflow in the SVBC Record parser (function _dns_decode_SVCB_HTTPS in src/dns.c) allows attackers to supply crafted DNS messages that overflow the stack and potentially execute arbitrary code. The flaw exists in SmartDNS versions up to 47.1 and can be triggered remotely without authentication. The vulnerability is classified under CWE‑119 and CWE‑121, indicating unsafe buffer handling and improper stack management.

Affected Systems

The affected product is pymumu SmartDNS up to version 47.1. This version range is listed by the CNA and covers all SmartDNS releases that include the SVBC parsing logic.

Risk and Exploitability

The CVSS score is 6.3, indicating moderate severity. The EPSS score is below 1%, showing a very low current exploitation probability, and the vulnerability is not listed in KEV. However, because the bug can be triggered remotely and leads to code execution, its impact is significant if an attacker can reach the server. Exploitation complexity is considered high by the vendor, implying that while feasible, it requires significant effort.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pymumu

SmartDNS

affected

Version	Status	Constraints
`47.0`	affected	—
`47.1`	affected	—

No data.

Vendor	Product	Confidence	Versions
Pymumu	Smartdns	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade SmartDNS to version 47.1 or newer, which includes the security fix.
If the upgrade is not immediately possible, apply the patch identified by commit 2d57c4b4e1add9b4537aeb403f794a084727e1c8 to the source code and rebuild the service.
As a temporary measure, block or filter incoming DNS queries that contain the SVCB or related HTTPS records using network firewall rules to mitigate the risk until a patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 02:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/pymumu/smartdns/
https://github.com/pymumu/smartdns/commit/2d57c4b4e1add9b4537aeb403f794a084727e1c8
https://vuldb.com/?ctiid.342841
https://vuldb.com/?id.342841
https://vuldb.com/?submit.736827

History

Mon, 23 Feb 2026 09:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:pymumu:smartdns::::::::
References		https://github.com/pymumu/smartdns/

Tue, 27 Jan 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pymumu Pymumu smartdns
Vendors & Products		Pymumu Pymumu smartdns

Mon, 26 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 26 Jan 2026 08:00:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in pymumu SmartDNS up to 47.1. This vulnerability affects the function _dns_decode_rr_head/_dns_decode_SVCB_HTTPS of the file src/dns.c of the component SVBC Record Parser. The manipulation results in stack-based buffer overflow. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is stated that the exploitability is difficult. The patch is identified as 2d57c4b4e1add9b4537aeb403f794a084727e1c8. Applying a patch is advised to resolve this issue.
Title		pymumu SmartDNS SVBC Record dns.c _dns_decode_SVCB_HTTPS stack-based overflow
Weaknesses		CWE-119 CWE-121
References		https://github.com/pymumu/smartdns/commit/2d57c4b4e1add9b4537aeb403f794a084727e1c8 https://vuldb.com/?ctiid.342841 https://vuldb.com/?id.342841 https://vuldb.com/?submit.736827
Metrics		cvssV2_0 `{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}` cvssV3_0 `{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}` cvssV3_1 `{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}` cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Pymumu Smartdns

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-26T07:32:06.516Z

Updated: 2026-02-23T08:58:07.493Z

Reserved: 2026-01-25T17:17:00.491Z

Link: CVE-2026-1425

Vulnrichment

Updated: 2026-01-26T14:16:17.683Z

NVD

Status : Deferred

Published: 2026-01-26T08:16:00.490

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1425

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T02:45:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object