CVE-2020-37127
published 2026-02-05CVE-2020-37127: Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_release utility that allows attackers to cause a denial of service by supplying…
PriorityP419medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.18%
7.9th percentile
Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_release utility that allows attackers to cause a denial of service by supplying excessive input. Attackers can trigger a core dump and terminate the dhcp_release process by sending a crafted input string longer than 16 characters.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dnsmasq | < dnsmasq 2.80-1 (bookworm) | dnsmasq 2.80-1 (bookworm) |
| dnsmasq | dnsmasq-utils | — | — |
| thekelleys | dnsmasq | >= 0 < 2.80-1 | 2.80-1 |
| thekelleys | dnsmasq | >= 0 < 2.80-1 | 2.80-1 |
| thekelleys | dnsmasq | >= 0 < 2.80-1 | 2.80-1 |
| thekelleys | dnsmasq | >= 0 < 2.80-1 | 2.80-1 |
| ubuntu | dnsmasq | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.9MEDIUM
vendor_debian6.9LOW
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Dnsmasq vulnerability
vendor_ubuntu·2026-05-26
CVE-2020-37127 Dnsmasq vulnerability
Title: Dnsmasq vulnerability
Summary: Dnsmasq could be made to crash if it received specially crafted
input.
Petr Menšík discovered that Dnsmasq incorrectly handled certain
input in the dhcp_release utility. A local attacker could possibly
use this issue to cause Dnsmasq to crash, resulting in a denial of
service.
Instructions: In general, a standard system update will make all the necessary
changes.
Red Hat
dnsmasq: dnsmasq-utils 'dhcp_release' Denial of Service
vendor_redhat·2026-02-05·CVSS 6.9
CVE-2020-37127 [MEDIUM] CWE-120 dnsmasq: dnsmasq-utils 'dhcp_release' Denial of Service
dnsmasq: dnsmasq-utils 'dhcp_release' Denial of Service
Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_release utility that allows attackers to cause a denial of service by supplying excessive input. Attackers can trigger a core dump and terminate the dhcp_release process by sending a crafted input string longer than 16 characters.
Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_release utility that allows attackers to cause a denial of service by supplying excessive input. Attackers can trigger a core dump and terminate the dhcp_release process by sending a crafted input string longer than 16 characters.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Se
Debian
CVE-2020-37127: dnsmasq - Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_releas...
vendor_debian·2020·CVSS 6.9
CVE-2020-37127 [MEDIUM] CVE-2020-37127: dnsmasq - Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_releas...
Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_release utility that allows attackers to cause a denial of service by supplying excessive input. Attackers can trigger a core dump and terminate the dhcp_release process by sending a crafted input string longer than 16 characters.
Scope: local
bookworm: resolved (fixed in 2.80-1)
bullseye: resolved (fixed in 2.80-1)
forky: resolved (fixed in 2.80-1)
sid: resolved (fixed in 2.80-1)
trixie: resolved (fixed in 2.80-1)
OSV
CVE-2020-37127: Dnsmasq-utils 2
osv·2026-02-05·CVSS 6.9
CVE-2020-37127 [MEDIUM] CVE-2020-37127: Dnsmasq-utils 2
Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_release utility that allows attackers to cause a denial of service by supplying excessive input. Attackers can trigger a core dump and terminate the dhcp_release process by sending a crafted input string longer than 16 characters.
GHSA
GHSA-j2ph-f4fj-m4r3: Dnsmasq-utils 2
ghsa_unreviewed·2026-02-05
CVE-2020-37127 [MEDIUM] CWE-121 GHSA-j2ph-f4fj-m4r3: Dnsmasq-utils 2
Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_release utility that allows attackers to cause a denial of service by supplying excessive input. Attackers can trigger a core dump and terminate the dhcp_release process by sending a crafted input string longer than 16 characters.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-37127 netdata: dnsmasq-utils 'dhcp_release' Denial of Service [fedora-42]
bugzilla·2026-02-05·CVSS 6.9
CVE-2020-37127 [MEDIUM] CVE-2020-37127 netdata: dnsmasq-utils 'dhcp_release' Denial of Service [fedora-42]
CVE-2020-37127 netdata: dnsmasq-utils 'dhcp_release' Denial of Service [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 've
Bugzilla
CVE-2020-37127 dnsmasq: dnsmasq-utils 'dhcp_release' Denial of Service
bugzilla·2026-02-05·CVSS 6.9
CVE-2020-37127 [MEDIUM] CVE-2020-37127 dnsmasq: dnsmasq-utils 'dhcp_release' Denial of Service
CVE-2020-37127 dnsmasq: dnsmasq-utils 'dhcp_release' Denial of Service
Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_release utility that allows attackers to cause a denial of service by supplying excessive input. Attackers can trigger a core dump and terminate the dhcp_release process by sending a crafted input string longer than 16 characters.
Bugzilla
CVE-2020-37127 incus: dnsmasq-utils 'dhcp_release' Denial of Service [fedora-43]
bugzilla·2026-02-05·CVSS 6.9
CVE-2020-37127 [MEDIUM] CVE-2020-37127 incus: dnsmasq-utils 'dhcp_release' Denial of Service [fedora-43]
CVE-2020-37127 incus: dnsmasq-utils 'dhcp_release' Denial of Service [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
I believe this is a false positive as the CVE is reported against dnsmasq and dnsmasq is not shipped as part of the Incus package in Fedora. Although incus depends on dnsmasq the referenced vulnerability happened to be in a much older version of dnsmasq as currently shipped with Fedora.
Bugzilla
CVE-2020-37127 incus: dnsmasq-utils 'dhcp_release' Denial of Service [fedora-42]
bugzilla·2026-02-05·CVSS 6.9
CVE-2020-37127 [MEDIUM] CVE-2020-37127 incus: dnsmasq-utils 'dhcp_release' Denial of Service [fedora-42]
CVE-2020-37127 incus: dnsmasq-utils 'dhcp_release' Denial of Service [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
I believe this is a false positive as the CVE is reported against dnsmasq and dnsmasq is not shipped as part of the Incus package in Fedora. Although incus depends on dnsmasq the referenced vulnerability happened to be in a much older version of dnsmasq as currently shipped with Fedora.
Wiz
CVE-2020-37127 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2020-37127 [MEDIUM] CVE-2020-37127 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2020-37127 :
dnsmasq vulnerability analysis and mitigation
Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_release utility that allows attackers to cause a denial of service by supplying excessive input. Attackers can trigger a core dump and terminate the dhcp_release process by sending a crafted input string longer than 16 characters.
Source : NVD
## 6.9
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
dnsmasq
Linux Red Hat
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dnsmasq
dnsmasq-utils
Sources
NVD
Debian 11, 12, 13, 14 Severity LO
2026-02-05
Published