Dnsmasq: dnsmasq: out-of-bounds read in find_soa() due to missing extrabytes validation
Description
An out-of-bounds read vulnerability exists in dnsmasq's find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can exploit this via a crafted NXDOMAIN response to cause a 10-byte heap out-of-bounds read, potentially accessing stale data from prior transactions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing validation of 10 additional bytes for fixed-length DNS record fields in find_soa() when calling extract_name() with extrabytes=0."
Attack vector
A remote attacker who controls a DNS zone can craft an NXDOMAIN response where the NS record name (a compression pointer) extends to the packet boundary. When dnsmasq's `find_soa()` processes this response, `extract_name()` is called with `extrabytes=0`, which only checks that the name fits within the packet but does not verify that 10 additional bytes exist for the fixed-length fields. The `GETSHORT`/`GETLONG` macros then unconditionally read 10 bytes past the valid packet boundary, causing a heap out-of-bounds read [ref_id=1].
Affected code
The vulnerability resides in `find_soa()` in `src/rfc1035.c`. The function calls `extract_name()` with `extrabytes=0` when parsing NS section records, which only validates that the DNS name fits within the packet but does not verify that 10 additional bytes exist for the fixed-length fields (type, class, TTL, rdlen). The subsequent `GETSHORT`/`GETLONG` macros then unconditionally read 10 bytes past the valid packet boundary [ref_id=1].
What the fix does
The upstream fix at commit `14094e88beca519c53151184cc4553656672b54f` addresses the missing validation by ensuring that `extract_name()` is called with the correct `extrabytes` value so that the 10 fixed-length bytes are accounted for before the packet boundary check. This prevents the `GETSHORT`/`GETLONG` macros from reading beyond the valid packet data. The fix is included in dnsmasq 2.93rc1 [ref_id=1].
Preconditions
- configThe attacker must control a DNS zone to return a crafted NXDOMAIN response
- networkThe attacker must be able to send DNS responses to the target dnsmasq instance
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- access.redhat.com/security/cve/CVE-2026-12969mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
News mentions
0No linked articles in our index yet.