CVE-2026-12725 Overview
CVE-2026-12725 is a heap-based buffer overflow [CWE-122] in dnsmasq, a widely deployed lightweight DNS forwarder and DHCP server. The flaw occurs when both DNSSEC validation and query logging are enabled. When dnsmasq logs DS or DNSKEY replies that contain unsupported algorithm or digest types, the logging routine writes past the end of an internal buffer.
A remote attacker capable of supplying a crafted DNS response can crash the dnsmasq process, producing a denial-of-service condition. The issue affects routers, embedded devices, and Linux systems that rely on dnsmasq for DNS resolution.
Critical Impact
A remote attacker delivering a malicious DNS response can corrupt heap memory in dnsmasq and terminate the resolver, disrupting DNS for all downstream clients.
Affected Products
- dnsmasq builds with DNSSEC validation compiled in
- Red Hat Enterprise Linux distributions packaging affected dnsmasq versions
- Network appliances and embedded firmware bundling vulnerable dnsmasq releases
Discovery Timeline
- 2026-06-22 - CVE-2026-12725 published to NVD
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2026-12725
Vulnerability Analysis
The vulnerability is a heap-based buffer overflow in the dnsmasq logging path. Two preconditions must be satisfied: DNSSEC validation must be enabled, and query logging must be active. Under these conditions, dnsmasq formats incoming DS (Delegation Signer) and DNSKEY resource records into an internal logging buffer.
When the resource record references an algorithm or digest type that dnsmasq does not recognize, the formatting logic miscomputes the required buffer length. The resulting write exceeds the bounds of the heap allocation, corrupting adjacent memory and causing the process to abort.
Because the attack vector is the network and no authentication is required, any upstream DNS responder reachable from the resolver can supply the malicious record. The Red Hat advisory characterizes the impact as a process crash, producing denial of service for DNS clients served by the resolver.
Root Cause
The root cause is improper bounds handling in the DNSSEC response logging code path. The formatter does not account for the string representation length of unknown algorithm or digest identifiers before writing to the fixed-size heap buffer. This violates standard safe-formatting practice and falls within [CWE-122] Heap-Based Buffer Overflow.
Attack Vector
Exploitation requires the attacker to influence DNS responses processed by the vulnerable resolver. This can be achieved by controlling an authoritative server queried during recursive resolution, by performing on-path response injection, or by hosting a domain that returns crafted DS or DNSKEY records.
The target resolver must be configured with DNSSEC validation (--dnssec) and logging (--log-queries) enabled. When the resolver attempts to log the malformed response, the heap overflow triggers and the process terminates. See the Red Hat CVE Advisory and the Red Hat Bug Report #2490763 for vendor technical details.
Detection Methods for CVE-2026-12725
Indicators of Compromise
- Unexpected termination or repeated restarts of the dnsmasq service recorded in systemd, journalctl, or syslog
- Crash signatures referencing heap corruption, SIGABRT, or glibc malloc assertions in dnsmasq core dumps
- DNS responses containing DS or DNSKEY records with unassigned or reserved algorithm or digest type identifiers
- Loss of DNS resolution for clients immediately following queries to attacker-controlled domains
Detection Strategies
- Monitor process supervisors for dnsmasq exit codes and restart counts to identify crash-loop behavior
- Inspect DNS traffic for DS and DNSKEY records carrying algorithm or digest values outside the IANA registry
- Correlate resolver crashes with the timestamp of recent queries to identify suspect domains
- Verify whether --dnssec and --log-queries are both enabled on each dnsmasq instance and flag exposed hosts
Monitoring Recommendations
- Enable core dump capture for the dnsmasq process to support post-incident analysis
- Forward dnsmasq logs to a central log platform and alert on abnormal termination events
- Track upstream DNS response anomalies, particularly malformed DNSSEC chains, through passive DNS collection
- Apply DNS response policy zones (RPZ) or filtering to block lookups to known malicious authoritative servers
How to Mitigate CVE-2026-12725
Immediate Actions Required
- Identify all hosts running dnsmasq and determine which have DNSSEC validation and query logging enabled simultaneously
- Apply the vendor-supplied patch for dnsmasq as soon as it is available from your Linux distribution
- Restrict upstream DNS resolvers to trusted providers to reduce exposure to attacker-controlled responses
- Restart the dnsmasq service after patching to ensure the vulnerable binary is no longer resident in memory
Patch Information
Red Hat tracks the issue under the Red Hat CVE Advisory and Red Hat Bug Report #2490763. Consult your distribution's package repository for the fixed dnsmasq build and apply updates through the standard package manager such as dnf update dnsmasq or apt upgrade dnsmasq.
Workarounds
- Disable query logging by removing the --log-queries option until a patched build is installed
- Disable DNSSEC validation in dnsmasq configuration if logging cannot be turned off in the environment
- Configure dnsmasq to forward queries only to upstream resolvers that perform DNSSEC validation, removing the need for local validation
- Place dnsmasq behind a filtering resolver that strips malformed DNSSEC records before they reach the vulnerable process
# Configuration example: disable query logging as a temporary workaround
# Edit /etc/dnsmasq.conf and comment out the following directive
# log-queries
# Alternatively, disable DNSSEC validation until the patch is applied
# Comment out these directives in /etc/dnsmasq.conf
# dnssec
# trust-anchor=...
# Restart the service to apply changes
sudo systemctl restart dnsmasq
sudo systemctl status dnsmasq
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

