#VU8663 Memory leak in Dnsmasq

Published: 2020-03-18

Vulnerability identifier: #VU8663

Vulnerability risk: Low

CVSSv3.1: 4.2 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-14494


Exploitation vector: Local network

Exploit availability: Yes

Vulnerable software:
Server applications / DNS servers

Vendor: GNU


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to memory leak when processing DHCPv6 requests. A remote unauthenticated attacker on local network can send specially crafted DHCPv6 request to the affected service and cause dnsmasq to forward memory from outside the packet buffer to a DHCPv6 server when acting as a relay.

Successful exploitation of this vulnerability may allow an attacker to read parts of memory from the affected system and bypass ASLR.

Update to version 2.78.

Vulnerable software versions

Dnsmasq: 0.4 - 2.77

External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability