{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1425", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-25T17:17:00.491Z", "datePublished": "2026-01-26T07:32:06.516Z", "dateUpdated": "2026-02-23T08:58:07.493Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:58:07.493Z"}, "title": "pymumu SmartDNS SVBC Record dns.c _dns_decode_SVCB_HTTPS stack-based overflow", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-121", "lang": "en", "description": "Stack-based Buffer Overflow"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "pymumu", "product": "SmartDNS", "versions": [{"version": "47.0", "status": "affected"}, {"version": "47.1", "status": "affected"}], "cpes": ["cpe:2.3:a:pymumu:smartdns:*:*:*:*:*:*:*:*"], "modules": ["SVBC Record Parser"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in pymumu SmartDNS up to 47.1. This vulnerability affects the function _dns_decode_rr_head/_dns_decode_SVCB_HTTPS of the file src/dns.c of the component SVBC Record Parser. The manipulation results in stack-based buffer overflow. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is stated that the exploitability is difficult. The patch is identified as 2d57c4b4e1add9b4537aeb403f794a084727e1c8. Applying a patch is advised to resolve this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.6, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C"}}], "timeline": [{"time": "2026-01-25T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-25T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-01-26T19:07:29.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "liloler (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.342841", "name": "VDB-342841 | pymumu SmartDNS SVBC Record dns.c _dns_decode_SVCB_HTTPS stack-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.342841", "name": "VDB-342841 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.736827", "name": "Submit #736827 | pymumu smartdns 47.1 Stack-based Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/pymumu/smartdns/commit/2d57c4b4e1add9b4537aeb403f794a084727e1c8", "tags": ["patch"]}, {"url": "https://github.com/pymumu/smartdns/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T14:16:06.137472Z", "id": "CVE-2026-1425", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T14:16:22.355Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1425", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T14:16:06.137472Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T14:16:17.683Z"}}], "cna": {"tags": ["x_open-source"], "title": "pymumu SmartDNS SVBC Record dns.c _dns_decode_SVCB_HTTPS stack-based overflow", "credits": [{"lang": "en", "type": "reporter", "value": "liloler (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:pymumu:smartdns:*:*:*:*:*:*:*:*"], "vendor": "pymumu", "modules": ["SVBC Record Parser"], "product": "SmartDNS", "versions": [{"status": "affected", "version": "47.0"}, {"status": "affected", "version": "47.1"}]}], "timeline": [{"lang": "en", "time": "2026-01-25T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-25T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-01-26T19:07:29.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.342841", "name": "VDB-342841 | pymumu SmartDNS SVBC Record dns.c _dns_decode_SVCB_HTTPS stack-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.342841", "name": "VDB-342841 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.736827", "name": "Submit #736827 | pymumu smartdns 47.1 Stack-based Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/pymumu/smartdns/commit/2d57c4b4e1add9b4537aeb403f794a084727e1c8", "tags": ["patch"]}, {"url": "https://github.com/pymumu/smartdns/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in pymumu SmartDNS up to 47.1. This vulnerability affects the function _dns_decode_rr_head/_dns_decode_SVCB_HTTPS of the file src/dns.c of the component SVBC Record Parser. The manipulation results in stack-based buffer overflow. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is stated that the exploitability is difficult. The patch is identified as 2d57c4b4e1add9b4537aeb403f794a084727e1c8. Applying a patch is advised to resolve this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "Stack-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:58:07.493Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1425", "state": "PUBLISHED", "dateUpdated": "2026-02-23T08:58:07.493Z", "dateReserved": "2026-01-25T17:17:00.491Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-01-26T07:32:06.516Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in pymumu SmartDNS up to 47.1. This vulnerability affects the function _dns_decode_rr_head/_dns_decode_SVCB_HTTPS of the file src/dns.c of the component SVBC Record Parser. The manipulation results in stack-based buffer overflow. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is stated that the exploitability is difficult. The patch is identified as 2d57c4b4e1add9b4537aeb403f794a084727e1c8. Applying a patch is advised to resolve this issue."}, {"lang": "es", "value": "Se ha descubierto una falla de seguridad en pymumu SmartDNS hasta la versi\u00f3n 47.1. Esta vulnerabilidad afecta a la funci\u00f3n _dns_decode_rr_head/_dns_decode_SVCB_HTTPS del archivo src/dns.c del componente SVBC Record Parser. La manipulaci\u00f3n resulta en un desbordamiento de b\u00fafer basado en pila. Es posible lanzar el ataque de forma remota. Un alto nivel de complejidad est\u00e1 asociado con este ataque. Se afirma que la explotabilidad es dif\u00edcil. El parche se identifica como 2d57c4b4e1add9b4537aeb403f794a084727e1c8. Se aconseja aplicar un parche para resolver este problema."}], "id": "CVE-2026-1425", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-26T08:16:00.490", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/pymumu/smartdns/"}, {"source": "cna@vuldb.com", "url": "https://github.com/pymumu/smartdns/commit/2d57c4b4e1add9b4537aeb403f794a084727e1c8"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.342841"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.342841"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.736827"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T02:43:04.262428+00:00", "value": {"mitigation_remediation": ["Upgrade SmartDNS to version 47.1 or newer, which includes the security fix.", "If the upgrade is not immediately possible, apply the patch identified by commit 2d57c4b4e1add9b4537aeb403f794a084727e1c8 to the source code and rebuild the service.", "As a temporary measure, block or filter incoming DNS queries that contain the SVCB or related HTTPS records using network firewall rules to mitigate the risk until a patch is applied."], "summary": {"action": "Apply Patch", "impact": "Remote code execution via stack buffer overflow"}, "threat_synthesis": {"affected_systems": "The affected product is pymumu SmartDNS up to version 47.1. This version range is listed by the CNA and covers all SmartDNS releases that include the SVBC parsing logic.", "description_and_impact": "A stack-based buffer overflow in the SVBC Record parser (function _dns_decode_SVCB_HTTPS in src/dns.c) allows attackers to supply crafted DNS messages that overflow the stack and potentially execute arbitrary code. The flaw exists in SmartDNS versions up to 47.1 and can be triggered remotely without authentication. The vulnerability is classified under CWE\u2011119 and CWE\u2011121, indicating unsafe buffer handling and improper stack management.", "risk_and_exploitability": "The CVSS score is 6.3, indicating moderate severity. The EPSS score is below 1%, showing a very low current exploitation probability, and the vulnerability is not listed in KEV. However, because the bug can be triggered remotely and leads to code execution, its impact is significant if an attacker can reach the server. Exploitation complexity is considered high by the vendor, implying that while feasible, it requires significant effort."}}}}, "created": "2026-01-27T09:03:41.431457+00:00", "updated": "2026-04-18T02:45:27.286886+00:00", "vendors": ["pymumu", "pymumu$PRODUCT$smartdns"]}