A memory exhaustion flaw was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets which would trigger memory allocations which would never be freed, leading to unbounded memory consumption and eventually a crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | dnsmasq | 2017-10-02 17:05 | ALAS-2017-907 |
Amazon Linux 2 - Core | dnsmasq | 2019-07-18 18:22 | ALAS2-2019-1251 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv2 | 7.8 | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Amazon Linux | CVSSv3 | 7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
NVD | CVSSv2 | 5.0 | AV:N/AC:L/Au:N/C:N/I:N/A:P |
NVD | CVSSv3 | 7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |