Description
An out-of-bounds read vulnerability exists in dnsmasq's find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can exploit this via a crafted NXDOMAIN response to cause a 10-byte heap out-of-bounds read, potentially accessing stale data from prior transactions.
Problem types
Product status
Timeline
| 2026-04-24: | Reported to Red Hat. |
| 2026-05-10: | Made public. |
Credits
Red Hat would like to thank dolitli for reporting this issue.
References
access.redhat.com/security/cve/CVE-2026-12969
bugzilla.redhat.com/show_bug.cgi?id=2491663 (RHBZ#2491663)