Vulnerability Note VU#973527

Dnsmasq contains multiple vulnerabilities

Original Release date: 02 Oct 2017 | Last revised: 02 Feb 2018


Dnsmasq versions 2.77 and earlier contains multiple vulnerabilities.


Multiple vulnerabilities have been reported in dnsmasq.

CWE-122: Heap-based Buffer Overflow - CVE-2017-14491

CWE-122: Heap-based Buffer Overflow - CVE-2017-14492

CWE-121: Stack-based Buffer Overflow - CVE-2017-14493

CWE-200: Information Exposure - CVE-2017-14494

CWE-400: Uncontrolled Resource Consumption('Resource Exhaustion') - CVE-2017-14495

CWE-191: Integer Underflow - CVE-2017-14496

Please see the Google Security blog post for additional information.


Dnsmasq is a widely used piece of open-source software. These vulnerabilities can be triggered remotely via DNS and DHCP protocols and can lead to remote code execution, information exposure, and denial of service. In some cases an attacker would need to induce one or more DNS requests.


Apply an Update
dnsmasq version 2.78 has been released to address these vulnerabilities.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
dnsmasqAffected25 Sep 201702 Oct 2017
Ruckus WirelessAffected25 Sep 201702 Feb 2018
TechnicolorAffected-18 Oct 2017
ZyXELAffected25 Sep 201702 Feb 2018
Brocade Communication SystemsNot Affected25 Sep 201702 Feb 2018
3com IncUnknown25 Sep 201725 Sep 2017
ACCESSUnknown25 Sep 201725 Sep 2017
ActiontecUnknown25 Sep 201725 Sep 2017
AerohiveUnknown25 Sep 201725 Sep 2017
Alcatel-LucentUnknown25 Sep 201725 Sep 2017
AmazonUnknown25 Sep 201725 Sep 2017
Android Open Source ProjectUnknown25 Sep 201725 Sep 2017
AppleUnknown25 Sep 201725 Sep 2017
Arch LinuxUnknown25 Sep 201725 Sep 2017
Arista Networks, Inc.Unknown25 Sep 201725 Sep 2017
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.7 E:H/RL:OF/RC:C
Environmental 8.7 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND



Thanks to Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher and Ron Bowes of the Google Security Team for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information


If you have feedback, comments, or additional information about this vulnerability, please send us email.