[Dnsmasq-discuss] New dnsmasq CVEs assigned: CVE-2025-12198 CVE-2025-12199 CVE-2025-12200, likely bogus
Matthias Andree
matthias.andree at gmx.de
Wed Oct 29 17:32:26 UTC 2025
Am 29.10.25 um 15:25 schrieb Petr Menšík via Dnsmasq-discuss:
> Unlike last time we received embargoed AI generated content, this time
> there is CVE assigned for dnsmasq. I have no time to solve how real
> they are, but I doubt it describes anything of severity Important.
>
> Yes, there might be bugs in DHCP parsing code, but if they need root
> access, then they cannot be CVSS score 7.8. If you have not catched
> them yet, just posting here they did appear. I think they should be
> disputed or fixed CVSS score of them.
>
> If any software passes unfiltered content from unprivileged users to
> dnsmasq, then that software should receive Important CVE.
>
> https://www.openwall.com/lists/oss-security/2025/10/27/1
>
> https://www.cve.org/CVERecord?id=CVE-2025-12198
>
Thanks Petr.
The claim on all three of them is "up to 2.73rc6", which was a release
candidate more than 10.5 years ago [1], and there is a thread of
critical voices on said mailing list about being AI nonsense, or
questionable validation (before assignment) on VulDB's side, which is
the CNA who assigned those CVEs including 2025-12198 -- one of the
organizations that can assign CVE numbers.
They have been called out on the oss-security@ list by its moderator,
Alexander aka Solar Designer, already.
See <https://www.openwall.com/lists/oss-security/2025/10/28/3>.
[1] The first candidate not encompassed by three CVEs would be this
according to the public Git:
> tag v2.73rc7
> Tagger: Simon Kelley <simon at thekelleys.org.uk>
> Date: Tue Apr 28 20:46:54 2015 +0100
>
> release tag
Regards,
Matthias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20251029/84d361a1/attachment.htm>
More information about the Dnsmasq-discuss
mailing list