Nixpkgs security tracker

Untriaged

Permalink CVE-2026-12725

5.9 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 3 days, 17 hours ago by @LeSuisse Activity log

Created suggestion 3 days, 21 hours ago
@LeSuisse ignored package prometheus-dnsmasq-exporter 3 days, 17 hours ago

Dnsmasq: dnsmasq: heap buffer overflow in log_query() when logging unsupported ds/dnskey replies

A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply such a DNS response may crash the dnsmasq process, resulting in denial of service.

References

https://access.redhat.com/security/cve/CVE-2026-12725 vdb-entryx_refsource_REDHAT
RHBZ#2490763 x_refsource_REDHATissue-tracking

Affected products

rhcos

dnsmasq

Matching in nixpkgs

pkgs.dnsmasq

Integrated DNS, DHCP and TFTP server for small networks

nixos-unstable 2.92rel2
- nixpkgs-unstable 2.92rel2
- nixos-unstable-small 2.92rel2
nixos-26.05 2.92rel2
- nixos-26.05-small 2.92rel2
- nixpkgs-26.05-darwin 2.92rel2

Ignored packages (1)

pkgs.prometheus-dnsmasq-exporter

Dnsmasq exporter for Prometheus

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0
nixos-26.05 0.3.0
- nixos-26.05-small 0.3.0
- nixpkgs-26.05-darwin 0.3.0

Package maintainers