{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-12198", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-10-25T06:21:53.115Z", "datePublished": "2025-10-27T00:58:12.511Z", "dateUpdated": "2025-10-28T15:20:41.952Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-10-27T00:58:12.511Z"}, "title": "dnsmasq Config File util.c parse_hex heap-based overflow", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-122", "lang": "en", "description": "Heap-based Buffer Overflow"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "n/a", "product": "dnsmasq", "versions": [{"version": "2.73rc1", "status": "affected"}, {"version": "2.73rc2", "status": "affected"}, {"version": "2.73rc3", "status": "affected"}, {"version": "2.73rc4", "status": "affected"}, {"version": "2.73rc5", "status": "affected"}, {"version": "2.73rc6", "status": "affected"}], "modules": ["Config File Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in dnsmasq up to 2.73rc6. Affected is the function parse_hex of the file src/util.c of the component Config File Handler. The manipulation of the argument i leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Eine Schwachstelle wurde in dnsmasq up to 2.73rc6 gefunden. Es betrifft die Funktion parse_hex der Datei src/util.c der Komponente Config File Handler. Dank der Manipulation des Arguments i mit unbekannten Daten kann eine heap-based buffer overflow-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs hat dabei lokal zu erfolgen. Der Exploit ist \u00f6ffentlich verf\u00fcgbar und k\u00f6nnte genutzt werden."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.5, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "baseSeverity": "HIGH"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.8, "vectorString": "AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2025-10-25T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-10-25T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-10-25T08:27:10.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "zh_vul (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.329868", "name": "VDB-329868 | dnsmasq Config File util.c parse_hex heap-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.329868", "name": "VDB-329868 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.673138", "name": "Submit #673138 | dnsmasq dnsmasq v2.73rc6 Heap-based Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://shimo.im/docs/1d3aMVMmNmiLjg3g/", "tags": ["exploit"]}], "tags": ["x_open-source"]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-10-28T01:20:45.186Z"}, "references": [{"url": "https://www.openwall.com/lists/oss-security/2025/10/27/1"}, {"url": "https://news.ycombinator.com/item?id=45727137"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}, {"references": [{"url": "https://shimo.im/docs/1d3aMVMmNmiLjg3g", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-28T15:20:38.296250Z", "id": "CVE-2025-12198", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-28T15:20:41.952Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.openwall.com/lists/oss-security/2025/10/27/1"}, {"url": "https://news.ycombinator.com/item?id=45727137"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-10-28T01:20:45.186Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12198", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-28T15:20:38.296250Z"}}}], "references": [{"url": "https://shimo.im/docs/1d3aMVMmNmiLjg3g", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-28T15:20:31.671Z"}}], "cna": {"tags": ["x_open-source"], "title": "dnsmasq Config File util.c parse_hex heap-based overflow", "credits": [{"lang": "en", "type": "reporter", "value": "zh_vul (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.5, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.8, "vectorString": "AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "n/a", "modules": ["Config File Handler"], "product": "dnsmasq", "versions": [{"status": "affected", "version": "2.73rc1"}, {"status": "affected", "version": "2.73rc2"}, {"status": "affected", "version": "2.73rc3"}, {"status": "affected", "version": "2.73rc4"}, {"status": "affected", "version": "2.73rc5"}, {"status": "affected", "version": "2.73rc6"}]}], "timeline": [{"lang": "en", "time": "2025-10-25T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-10-25T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-10-25T08:27:10.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.329868", "name": "VDB-329868 | dnsmasq Config File util.c parse_hex heap-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.329868", "name": "VDB-329868 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.673138", "name": "Submit #673138 | dnsmasq dnsmasq v2.73rc6 Heap-based Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://shimo.im/docs/1d3aMVMmNmiLjg3g/", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in dnsmasq up to 2.73rc6. Affected is the function parse_hex of the file src/util.c of the component Config File Handler. The manipulation of the argument i leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Eine Schwachstelle wurde in dnsmasq up to 2.73rc6 gefunden. Es betrifft die Funktion parse_hex der Datei src/util.c der Komponente Config File Handler. Dank der Manipulation des Arguments i mit unbekannten Daten kann eine heap-based buffer overflow-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs hat dabei lokal zu erfolgen. Der Exploit ist \u00f6ffentlich verf\u00fcgbar und k\u00f6nnte genutzt werden."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "Heap-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-10-27T00:58:12.511Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12198", "state": "PUBLISHED", "dateUpdated": "2025-10-28T15:20:41.952Z", "dateReserved": "2025-10-25T06:21:53.115Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-10-27T00:58:12.511Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in dnsmasq up to 2.73rc6. Affected is the function parse_hex of the file src/util.c of the component Config File Handler. The manipulation of the argument i leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2025-12198", "lastModified": "2025-10-28T16:15:36.050", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 6.8, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "cna@vuldb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-10-27T01:15:38.857", "references": [{"source": "cna@vuldb.com", "url": "https://shimo.im/docs/1d3aMVMmNmiLjg3g/"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.329868"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.329868"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.673138"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://news.ycombinator.com/item?id=45727137"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.openwall.com/lists/oss-security/2025/10/27/1"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://shimo.im/docs/1d3aMVMmNmiLjg3g"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-122"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{"bugzilla": {"description": "dnsmasq: dnsmasq Config File util.c parse_hex heap-based overflow", "id": "2406466", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406466"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "(CWE-119|CWE-122)", "details": ["A heap-based buffer overflow vulnerability in dnsmasq within the parse_hex() function of src/util.c. When parsing malformed DHCP option values in configuration files, dnsmasq miscalculates the output length and writes beyond the allocated heap buffer. This can cause a crash (Denial of Service) and, in some cases, memory corruption that may enable arbitrary code execution. The flaw is triggered during configuration parsing, so an attacker who can supply or modify the dnsmasq configuration file could exploit it."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.\nTo reduce the risk, restrict who can write or supply dnsmasq configuration files (ensure /etc/dnsmasq.conf and any included files are owned by root and not writable by unprivileged users), remove or avoid DHCP hex option entries coming from automated or untrusted sources, and validate configuration artifacts in your deployment pipeline before they reach production. Run dnsmasq with least privilege (drop root where possible, use systemd sandboxing, chroot or seccomp), enable runtime hardening (ASLR, hardened allocators) and monitor for crashes after config changes."}, "name": "CVE-2025-12198", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "dnsmasq", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "dnsmasq", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "dnsmasq", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "dnsmasq", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "dnsmasq", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-10-27T00:58:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-12198\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-12198\nhttps://shimo.im/docs/1d3aMVMmNmiLjg3g/\nhttps://vuldb.com/?ctiid.329868\nhttps://vuldb.com/?id.329868\nhttps://vuldb.com/?submit.673138"], "statement": "Although CVE-2025-12198 primarily appears as a local configuration parsing flaw, it is technically an Important vulnerability because it occurs in a core memory-handling routine (parse_hex()) that directly writes user-controlled data into heap memory without strict boundary checks. This function is invoked early during dnsmasq initialization, before privilege dropping or sandboxing, meaning any overflow occurs in a privileged context. The flaw\u2019s location in low-level parsing code shared across DHCP and DNS option handling \u2014 increases its impact surface, as even minor misconfigurations or automated provisioning systems that generate dnsmasq.conf dynamically could inadvertently process attacker-supplied data. Moreover, the overflow involves heap corruption adjacent to control structures, which can be weaponized for arbitrary code execution under certain heap conditions.", "threat_severity": "Important"}