Are these real CVEs? VulDB entries for dnsmasq rely on replacing config files

Among the new CVE's published this weekend were these from the VulDB CNA: For all three bugs, the documented "exploit" requires "Replace the default configuration file (/etc/dnsmasq.conf) with the provided malicious file." and if you can replace the server's configuration file you don't need to play games with putting invalid contents in to break the parser, but can simply change the configuration directly.