CVE-2025-12199 - Vulnerability Details

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: Based on the analysis by MITRE and review of community feedback, the reported conditions represent expected and intentional behavior within dnsmasq's documented design, rather than security vulnerabilities.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dnsmasq	Dnsmasq

No data.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2025-12199
https://shimo.im/docs/ZzkLMVMN7vIYJBAQ/
https://vuldb.com/?ctiid.329869
https://vuldb.com/?id.329869
https://vuldb.com/?submit.673154
https://www.cve.org/CVERecord?id=CVE-2025-12199

History

Mon, 03 Nov 2025 23:30:00 +0000

Type	Values Removed	Values Added
References	https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2025q4/018337.html https://news.ycombinator.com/item?id=45727137 https://www.openwall.com/lists/oss-security/2025/10/27/1
Metrics	cvssV2_0 `{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Mon, 03 Nov 2025 23:15:00 +0000

Type	Values Removed	Values Added
Title	dnsmasq Config File network.c check_servers null pointer dereference	dnsmasq: dnsmasq Config File network.c check_servers null pointer dereference
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}`

Mon, 03 Nov 2025 23:00:00 +0000

Type	Values Removed	Values Added
Description	A vulnerability was found in dnsmasq up to 2.73rc6. Affected by this vulnerability is the function check_servers of the file src/network.c of the component Config File Handler. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been made public and could be used. It is still unclear if this vulnerability genuinely exists. This attack requires manipulating config files which might not be a realistic scenario in many cases. The vendor was contacted early about this disclosure but did not respond in any way.	REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: Based on the analysis by MITRE and review of community feedback, the reported conditions represent expected and intentional behavior within dnsmasq's documented design, rather than security vulnerabilities.
Metrics	cvssV3_0 `{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}` cvssV2_0 `{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`	cvssV2_0 `{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P'}` cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Mon, 03 Nov 2025 18:30:00 +0000

Type	Values Removed	Values Added
Description	A vulnerability was found in dnsmasq up to 2.73rc6. Affected by this vulnerability is the function check_servers of the file src/network.c of the component Config File Handler. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.	A vulnerability was found in dnsmasq up to 2.73rc6. Affected by this vulnerability is the function check_servers of the file src/network.c of the component Config File Handler. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been made public and could be used. It is still unclear if this vulnerability genuinely exists. This attack requires manipulating config files which might not be a realistic scenario in many cases. The vendor was contacted early about this disclosure but did not respond in any way.

Sun, 02 Nov 2025 03:15:00 +0000

Type	Values Removed	Values Added
References		https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2025q4/018337.html

Tue, 28 Oct 2025 02:30:00 +0000

Type	Values Removed	Values Added
References		https://news.ycombinator.com/item?id=45727137

Tue, 28 Oct 2025 01:30:00 +0000

Type	Values Removed	Values Added
References		https://www.openwall.com/lists/oss-security/2025/10/27/1

Mon, 27 Oct 2025 22:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dnsmasq Dnsmasq dnsmasq
Vendors & Products		Dnsmasq Dnsmasq dnsmasq

Mon, 27 Oct 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 27 Oct 2025 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-12199 https://www.cve.org/CVERecord?id=CVE-2025-12199
Metrics	threat_severity `None`	threat_severity `Low`

Mon, 27 Oct 2025 01:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in dnsmasq up to 2.73rc6. Affected by this vulnerability is the function check_servers of the file src/network.c of the component Config File Handler. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		dnsmasq Config File network.c check_servers null pointer dereference
Weaknesses		CWE-404 CWE-476
References		https://shimo.im/docs/ZzkLMVMN7vIYJBAQ/ https://vuldb.com/?ctiid.329869 https://vuldb.com/?id.329869 https://vuldb.com/?submit.673154
Metrics		cvssV2_0 `{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

MITRE

Status: REJECTED

Assigner: VulDB

Published: 2025-10-27T01:02:09.029Z

Updated: 2025-11-03T22:47:45.128Z

Reserved: 2025-10-25T06:22:00.749Z

Link: CVE-2025-12199

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2025-10-27T01:15:39.737

Modified: 2025-11-03T23:17:36.210

Link: CVE-2025-12199

Redhat

Severity : Low

Publid Date: 2025-10-27T01:02:09Z

Links: CVE-2025-12199 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object