CVE-2026-12725

NameCVE-2026-12725
DescriptionA heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dnsmasq (PTS)bullseye2.85-1vulnerable
bullseye (security)2.85-1+deb11u2vulnerable
bookworm, bookworm (security)2.90-4~deb12u2vulnerable
trixie (security), trixie2.91-1+deb13u1vulnerable
forky, sid2.93-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dnsmasqsource(unstable)2.93-1

Notes

[trixie] - dnsmasq <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2490763
Fixed by: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=36d081e37477027fd721fea498f3760f529034ad (v2.93test10)
Search for package or bug name: Reporting problems