DescriptionA flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dnsmasq (PTS)buster, buster (security)2.80-1+deb10u1fixed
sid, trixie2.90-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[stretch] - dnsmasq <ignored> (Minor issue, off-path DNS-non-sec cache poisoning, mitigated by CVE-2020-25684 fix, invasive, regressions);a=commit;h=15b60ddf935a531269bb8c68198de012a4967156;a=commit;h=6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914;a=commit;h=04490bf622ac84891aad6f2dd2edf83725decdee (regression);a=commit;h=12af2b171de0d678d98583e2190789e544440e02 (regression);a=commit;h=3f535da79e7a42104543ef5c7b5fa2bed819a78b (regression);a=commit;h=25e63f1e56f5acdcf91893a1b92ad1e0f2f552d8 (regression);a=commit;h=141a26f979b4bc959d8e866a295e24f8cf456920 (regression);a=commit;h=305cb79c5754d5554729b18a2c06fe7ce699687a (regression)

Search for package or bug name: Reporting problems