CVE-2015-8899 — Improper Input Validation in Dnsmasq

CWE-20 — Improper Input Validation CWE-476 — NULL Pointer Dereference9 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 76.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Thekelleys Dnsmasq Canonical Ubuntu Linux

Timeline

PublishedJun 30

Latest updateMay 17

Description

Dnsmasq before 2.76 allows remote servers to cause a denial of service (crash) via a reply with an empty DNS address that has an (1) A or (2) AAAA record defined locally.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Debianthekelleys/dnsmasq< 2.76-1+3

▶NVDthekelleys/dnsmasq2.75

Also affects: Ubuntu Linux 15.10, 16.04

🔴Vulnerability Details

GHSA

GHSA-f299-rcx3-c9vw: Dnsmasq before 2↗2022-05-17

▶

OSV

CVE-2015-8899: Dnsmasq before 2↗2016-06-30

▶

CVEList

CVE-2015-8899: Dnsmasq before 2↗2016-06-30

▶

📋Vendor Advisories

Ubuntu

Dnsmasq vulnerability↗2016-06-20

▶

Red Hat

dnsmasq: Denial-of-service when empty address from DNS overlays A record from hosts↗2015-11-14

▶

Debian

CVE-2015-8899: dnsmasq - Dnsmasq before 2.76 allows remote servers to cause a denial of service (crash) v...↗2015

▶

💬Community

Bugzilla

CVE-2015-8899 dnsmasq: Denial-of-service when empty address from DNS overlays A record from hosts [fedora-all]↗2016-06-06

▶

Bugzilla

CVE-2015-8899 dnsmasq: Denial-of-service when empty address from DNS overlays A record from hosts↗2016-06-06

▶