A heap-based out-of-bounds read occurs during DNSSEC validation in dnsmasq when it processes certain DNS packets. This read flaw can corrupt memory and force the DNS daemon to crash, preventing it from responding to subsequent queries. The vulnerability leads to a denial of service for all clients that rely on the affected DNS server, exposing them to service interruption and potential cascading network failures. The weakness is a classic out-of-bounds read.

dnsmasq is the affected product. No specific version information is provided, which means that any installation that enables DNSSEC validation may be vulnerable, regardless of the dnsmasq release. System administrators should review all dnsmasq deployments that perform DNSSEC checks for potential risk.

The vulnerability can be triggered remotely by an attacker who can send a malicious DNS packet to the affected DNS server. EPSS data is not available and the issue is not listed in CISA’s KEV catalog, so the exploitation probability is currently unknown. However, because the flaw results in a crash and is reachable over the network, the risk remains significant. The CVSS score of 5.3 indicates a medium severity. Defeating it requires an update or configuration change to stop the daemon from validating DNSSEC data or to apply the forthcoming fix when available.