CVE-2026-1425

EUVD-2026-4706

26.01.2026, 08:16

A security flaw has been discovered in pymumu SmartDNS up to 47.1. This vulnerability affects the function _dns_decode_rr_head/_dns_decode_SVCB_HTTPS of the file src/dns.c of the component SVBC Record Parser. The manipulation results in stack-based buffer overflow. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is stated that the exploitability is difficult. The patch is identified as 2d57c4b4e1add9b4537aeb403f794a084727e1c8. Applying a patch is advised to resolve this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
VulDB	CNA	5.6 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
pymumu	smartdns	47.0	CNA
pymumu	smartdns	47.1	CNA

Debian Releases

Debian Product

Codename

smartdns

bookworm	vulnerable
bullseye	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

smartdns

jammy	needs-triage
noble	needs-triage
questing	needs-triage

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

https://github.com/pymumu/smartdns/

https://github.com/pymumu/smartdns/commit/2d57c4b4e1add9b4537aeb403f794a084727e1c8

https://vuldb.com/?ctiid.342841

https://vuldb.com/?id.342841

https://vuldb.com/?submit.736827