Description
A flaw was found in dnsmasq. A remote attacker could exploit an out-of-bounds write vulnerability by sending a specially crafted BOOTREPLY (Bootstrap Protocol Reply) packet to a dnsmasq server configured with the `--dhcp-split-relay` option. This can lead to memory corruption, causing the dnsmasq daemon to crash and resulting in a denial of service (DoS).
Published: 2026-04-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Mitigate
AI Analysis

Impact

Dnsmasq is vulnerable to an out‑of‑bounds write in DHCP BOOTREPLY processing. A crafted BOOTREPLY packet can overwrite adjacent memory, causing the dnsmasq daemon to crash. The crash produces a denial of service that can disrupt DNS and DHCP services for any client that contacts the compromised server. The flaw is classified as CWE‑787, a bounds checking failure, and the CVSS score of 7.5 indicates a high severity of impact.

Affected Systems

The vulnerability affects Red Hat Enterprise Linux releases 6 through 10, as well as Red Hat OpenShift Container Platform 4, all of which ship a dnsmasq package that may be configured with the --dhcp-split-relay option. Vendors supplying the affected packages include Red Hat, the vendor for the impacted distributions and services.

Risk and Exploitability

The flaw can be triggered remotely by any user able to send a BOOTREPLY packet to the target dnsmasq instance. Because the exploit relies on network‑layer packet manipulation, an attacker with network access to the DHCP service can initiate the attack without requiring local privileges. The EPSS score is not available, but the high CVSS impact coupled with the remote nature of the exploit and absence from the KEV catalog means that organizations should treat this as a high‑risk denial‑of‑service vulnerability that is likely to be actively sought by threat actors, especially in environments where dnsmasq is used for DHCP relay or boot services.

Generated by OpenCVE AI on April 18, 2026 at 09:20 UTC.

Remediation

Vendor Workaround

To mitigate this issue, ensure that the `dnsmasq` service is not configured with the `--dhcp-split-relay` option. If this option is currently in use, remove it from the `dnsmasq` configuration. After modifying the configuration, the `dnsmasq` service must be restarted for the changes to take effect. This may temporarily interrupt DHCP and DNS services provided by `dnsmasq`.

OpenCVE Recommended Actions

  • Remove the --dhcp-split-relay option from the dnsmasq configuration so the vulnerable DHCP code path is not exercised
  • Restart the dnsmasq service to load the updated configuration and restore DHCP/DNS service functionality
  • Apply the vendor‑issued patch or the latest upstream fix for dnsmasq once it becomes available

Generated by OpenCVE AI on April 18, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 18 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Container Platform
Vendors & Products Redhat openshift Container Platform

Fri, 17 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in dnsmasq. A remote attacker could exploit an out-of-bounds write vulnerability by sending a specially crafted BOOTREPLY (Bootstrap Protocol Reply) packet to a dnsmasq server configured with the `--dhcp-split-relay` option. This can lead to memory corruption, causing the dnsmasq daemon to crash and resulting in a denial of service (DoS).
Title Dnsmasq: dnsmasq: denial of service due to out-of-bounds write in dhcp bootreply processing
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-787
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Enterprise Linux Openshift Openshift Container Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-20T14:59:06.735Z

Reserved: 2026-04-17T11:32:04.326Z

Link: CVE-2026-6507

cve-icon Vulnrichment

Updated: 2026-04-17T14:30:09.736Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T13:16:14.967

Modified: 2026-04-17T15:07:18.050

Link: CVE-2026-6507

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-17T11:37:00Z

Links: CVE-2026-6507 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses