CVE-2026-12725: Heap-based Buffer Overflow in Red Hat Red Hat Enterprise Linux 10
A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.
AI Analysis
Technical Summary
CVE-2026-12725 is a heap-based buffer overflow vulnerability in the dnsmasq component of Red Hat Enterprise Linux 10. The flaw is triggered when both DNSSEC validation and query logging are enabled. Specifically, logging DS or DNSKEY DNS replies that include unsupported algorithm or digest types causes dnsmasq to write past the end of an internal logging buffer. This memory corruption can lead to a crash of the dnsmasq process, causing a denial of service condition. The vulnerability requires a remote attacker to supply a crafted DNS response to trigger the issue. There is no indication of code execution or data disclosure from the available information.
Potential Impact
The vulnerability can cause a denial of service by crashing the dnsmasq process on affected systems. There is no reported impact on confidentiality or integrity. Exploitation requires a remote attacker to send specially crafted DNS responses that trigger the buffer overflow during logging. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-12725 for current remediation guidance. Since no official fix or workaround is stated in the advisory content, users should monitor the vendor advisory for updates. Temporarily, disabling either DNSSEC validation or query logging in dnsmasq may mitigate the issue by preventing the vulnerable code path from being exercised.
CVE-2026-12725: Heap-based Buffer Overflow in Red Hat Red Hat Enterprise Linux 10
Description
A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.
CVSS v3.1
Score 5.9medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-12725 is a heap-based buffer overflow vulnerability in the dnsmasq component of Red Hat Enterprise Linux 10. The flaw is triggered when both DNSSEC validation and query logging are enabled. Specifically, logging DS or DNSKEY DNS replies that include unsupported algorithm or digest types causes dnsmasq to write past the end of an internal logging buffer. This memory corruption can lead to a crash of the dnsmasq process, causing a denial of service condition. The vulnerability requires a remote attacker to supply a crafted DNS response to trigger the issue. There is no indication of code execution or data disclosure from the available information.
Potential Impact
The vulnerability can cause a denial of service by crashing the dnsmasq process on affected systems. There is no reported impact on confidentiality or integrity. Exploitation requires a remote attacker to send specially crafted DNS responses that trigger the buffer overflow during logging. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-12725 for current remediation guidance. Since no official fix or workaround is stated in the advisory content, users should monitor the vendor advisory for updates. Temporarily, disabling either DNSSEC validation or query logging in dnsmasq may mitigate the issue by preventing the vulnerable code path from being exercised.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-06-19T14:44:05.921Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-12725","vendor":"Red Hat"}]
Threat ID: 6a395729eed863c81e0537e2
Added to database: 06/22/2026, 15:39:21 UTC
Last enriched: 06/22/2026, 16:09:31 UTC
Last updated: 06/22/2026, 19:09:21 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.