Impact
The vulnerability is a heap‑based out‑of‑bounds read (CWE‑125) in dnsmasq’s DNSSEC validation logic. When the daemon receives a malicious DNSSEC‑signed packet, it reads past the end of an allocated buffer, corrupting internal state and causing the process to crash. The crash terminates dnsmasq, denying all local and remote clients the ability to resolve DNS queries, which results in a denial of service.
Affected Systems
dnsmasq is the affected product. No specific version is listed, so any installation that has DNSSEC validation enabled could be affected. This includes residential, enterprise, and service‑provider DNS resolvers that rely on dnsmasq as their DNS server.
Risk and Exploitability
The CVSS score of 5.3 classifies the flaw as medium severity, and the EPSS score of 6% indicates a low but non‑zero chance of exploitation. The vulnerability is exploitable remotely over the network by sending a malformed DNS packet; no authentication is required. The flaw is not currently listed in CISA’s KEV catalog, but defenders should monitor for outages that might be caused by these packet‑processing crashes.
OpenCVE Enrichment
Debian DLA
Debian DSA