A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end.

A heap out-of-bounds read vulnerability was discovered in dnsmasq's DNS response processing. The extract_addresses() function trusts the declared record data length (rdlen) without verifying that a subsequent call to extract_name() stays within the record boundary. A crafted DNS response with a mismatched rdlen causes the remaining-bytes calculation to underflow, resulting in a massive out-of-bounds read and process crash.

Red Hat rates this as Important. While this bug does not require any special dnsmasq configuration, the impact is limited to denial of service. Red Hat Enterprise Linux 10 2026-05-19T00:00:00Z RHSA-2026:19158 dnsmasq-0:2.90-7.el10_2 Red Hat Enterprise Linux 6 Out of support scope dnsmasq Red Hat Enterprise Linux 7 Affected dnsmasq Red Hat Enterprise Linux 8 Affected dnsmasq Red Hat Enterprise Linux 9 Affected dnsmasq Red Hat OpenShift Container Platform 4 Affected rhcos https://www.cve.org/CVERecord?id=CVE-2026-5172 https://nvd.nist.gov/vuln/detail/CVE-2026-5172 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html