CVE-2025-12198 is a heap-based buffer overflow vulnerability identified in the widely used DNS forwarder and DHCP server software dnsmasq, affecting versions up to 2.73rc6. The flaw resides in the parse_hex function within the src/util.c file, part of the configuration file handler component. Specifically, improper manipulation of the argument 'i' during parsing leads to a heap overflow condition. This vulnerability requires local access with low privileges, meaning an attacker must have some level of access to the target system but does not require elevated rights or user interaction. The overflow can corrupt heap memory, potentially allowing an attacker to execute arbitrary code, escalate privileges, or cause denial of service by crashing the service. The CVSS 4.0 score of 8.5 reflects the high impact on confidentiality, integrity, and availability, combined with the relatively low attack complexity and privileges required. The vulnerability was publicly disclosed on October 27, 2025, with exploit code available, but no confirmed exploitation in the wild has been reported. The vendor has not responded to the disclosure, and no official patches have been released, increasing the urgency for organizations to implement mitigations. Given dnsmasq's role in network infrastructure, exploitation could disrupt DNS and DHCP services, impacting network reliability and security.

For European organizations, this vulnerability poses significant risks, especially for those relying on dnsmasq in network infrastructure, including ISPs, enterprises, and government agencies. Successful exploitation could allow local attackers to escalate privileges, gain unauthorized access to sensitive network configurations, or disrupt critical DNS and DHCP services, leading to network outages or data breaches. The impact on confidentiality is high due to potential unauthorized access, integrity is compromised through possible code execution or configuration manipulation, and availability is threatened by service crashes or denial of service. The requirement for local access limits remote exploitation but does not eliminate risk, as insider threats or compromised accounts could leverage this flaw. The lack of vendor response and patches increases exposure time, making timely mitigation critical. Disruption of DNS/DHCP services can have cascading effects on business operations, especially in sectors like finance, healthcare, and critical infrastructure prevalent in Europe.

Immediate mitigation should focus on restricting local access to systems running vulnerable dnsmasq versions by enforcing strict access controls and monitoring for suspicious local activity. Network segmentation can limit exposure of affected hosts. Administrators should audit and inventory dnsmasq versions in use and prioritize upgrading to patched versions once available. In the absence of official patches, organizations can consider applying community-developed patches or backporting fixes from future releases. Employing runtime protections such as heap memory protection mechanisms (e.g., ASLR, heap canaries) can reduce exploitation success. Regularly monitoring logs for abnormal dnsmasq behavior or crashes can provide early detection. Additionally, implementing multi-factor authentication and minimizing the number of users with local access reduces the attack surface. Organizations should also prepare incident response plans for potential exploitation scenarios involving dnsmasq.