oss-sec mailing list archives

Questionable CVE's reported against dnsmasq

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Mon, 27 Oct 2025 09:34:03 -0700

Among the new CVE's published this weekend were these from the VulDB CNA:

CVE-2025-12198

   A vulnerability has been found in dnsmasq up to 2.73rc6. Affected is the
   function parse_hex of the file src/util.c of the component Config File
   Handler. The manipulation of the argument i leads to heap-based buffer
   overflow. Local access is required to approach this attack. The exploit
   has been disclosed to the public and may be used. The vendor was
   contacted early about this disclosure but did not respond in any way.

   https://shimo.im/docs/1d3aMVMmNmiLjg3g/read

CVE-2025-12199

   A vulnerability was found in dnsmasq up to 2.73rc6. Affected by this
   vulnerability is the function check_servers of the file src/network.c
   of the component Config File Handler. The manipulation results in null
   pointer dereference. The attack needs to be approached locally. The exploit
   has been made public and could be used. The vendor was contacted early about
   this disclosure but did not respond in any way.

   https://shimo.im/docs/ZzkLMVMN7vIYJBAQ/read

CVE-2025-12200

   A vulnerability was determined in dnsmasq up to 2.73rc6. Affected by this
   issue is the function parse_dhcp_opt of the file src/option.c of the
   component Config File Handler. This manipulation of the argument m causes
   null pointer dereference. The attack can only be executed locally. The
   exploit has been publicly disclosed and may be utilized. The vendor was
   contacted early about this disclosure but did not respond in any way.

   https://shimo.im/docs/5xkGoMo0WVfY4dkX/read

For all three bugs, the documented "exploit" requires "Replace the default
configuration file (/etc/dnsmasq.conf) with the provided malicious file."
and if you can replace the server's configuration file you don't need to
play games with putting invalid contents in to break the parser, but can
simply change the configuration directly.

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Current thread:

Questionable CVE's reported against dnsmasq Alan Coopersmith (Oct 27)
- Re: Questionable CVE's reported against dnsmasq Jeremy Stanley (Oct 27)
  - Re: Questionable CVE's reported against dnsmasq Andrew Latham (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Stuart Henderson (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Matthew Fernandez (Oct 27)
  - Re: Questionable CVE's reported against dnsmasq Jeffrey Walton (Oct 27)
- Re: Questionable CVE's reported against dnsmasq Moritz Mühlenhoff (Oct 27)
  - Re: Questionable CVE's reported against dnsmasq Collin Funk (Oct 27)
  - Re: Questionable CVE's reported against dnsmasq Michael Orlitzky (Oct 27)