CVE-2026-12969 Red Hat CVE debrief

Who should care

Organizations using dnsmasq in their network infrastructure should be aware of this vulnerability. Specifically, those with exposed DNS servers or those that allow untrusted DNS responses to be processed by dnsmasq should prioritize patching. Red Hat has acknowledged the vulnerability and provided references for further information.

Technical summary

The vulnerability exists in the find_soa() function of dnsmasq, specifically in the src/rfc1035.c file. When parsing NS section records, the extract_name() function is called without properly validating the existence of 10 additional bytes for fixed-length DNS record fields. This oversight allows a remote attacker to craft a malicious NXDOMAIN response that triggers a 10-byte heap out-of-bounds read. The potential impact includes accessing stale data from prior transactions. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Defensive priority

Given the MEDIUM severity and the potential for data exposure, defenders should prioritize patching or mitigating this vulnerability. Organizations should review their dnsmasq configurations and update to a patched version as soon as possible.

Recommended defensive actions

• Review and apply patches for dnsmasq to address the out-of-bounds read vulnerability.
• Implement network segmentation to limit the impact of a potential exploit.
• Monitor DNS traffic for suspicious NXDOMAIN responses.
• Verify that dnsmasq configurations do not allow untrusted DNS responses to be processed.
• Consider compensating controls such as DNS response validation.

Evidence notes

The CVE record and NVD detail provide official information on the vulnerability. Red Hat has also provided references to their security advisory and bugzilla entry for further details. The CVE was published and modified on the same day, indicating rapid initial analysis.

Official resources