https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html
announces:
Today, 11th May 2026 CERT is releasing a set of six CVEs for serious
security vulnerabilities in dnsmasq. These are all long-standing bugs
which apply to pretty much all non-ancient versions. The CVE has been
pre-disclosed to vendors, so hopefully they will be releasing patched
versions of their dnsmasq packages in a timely manner.
Details and patches are available on the website at
https://thekelleys.org.uk/dnsmasq/CVE/
and I have made "2.92rel2" release of the current 2.92 dnsmasq stable
release which is downloadable from the usual place and has had these
patches applied.
At the same time, the commits which fix these bugs in the development
tree will be uploaded. Some of these use the same patches as the
backports, but some are more comprehensive re-writes to tackle root-causes.
There has been something of a revolution in AI-based security research,
and I've spent a lot of time over the last couple of months dealing with
bug reports, weeding duplicates (so many duplicates!) and triaging bugs
into those which need vendor pre-disclosure and those which it's better
to make public and fix immediately. Those judgements have been
necessarily subjective, but given the number of times "good guys" have
found these bugs, there's no doubt that "bad guys" have been able to do
the same, so long embargoes seem kind of pointless. There's also the
problem that the amount of time and effort, for all actors, needed to
co-ordinate an embargo and provide backports is huge. I think the
priority for most bugs is to fix them going forward, and have new
dnsmasq releases as bug-free as possible. To this end, you may have
noticed that there have been a lot of security-fix commits to the git
repo in the weeks prior to this announcement.
I will shortly tag dnsmasq-2.93rc1 and the aim is to get a stable 2.93
release done ASAP. Testing of release candidate by members here is
important and I'd like to encourage anyone who can to do that as soon as
they can. With luck, 2.93 could be out in a week or so.
The tsunami of AI-generated bug reports shows no signs of stopping, so
it is likely that this process will have to be repeated again soon.
There's a tension between getting as much as possible of the ongoing bug
stream fixed in 2.93 and it's timely release. I plan to prioritise
timeliness, and keep working after that as necessary.
Simon.
https://www.kb.cert.org/vuls/id/471747 provides additional details:
dnsmasq contains several vulnerabilities, including attacker DNS redirect,
privilege escalation, and heap manipulation
Vulnerability Note VU#471747
Original Release Date: 2026-05-11 | Last Revised: 2026-05-11
Overview
--------
dnsmasq is affected by multiple memory safety and input validation
vulnerabilities, including heap buffer overflows, heap corruption, and code
execution flaws. Collectively, these vulnerabilities enable attackers to
poison cached DNS records, bypass security controls, crash the dnsmasq process,
or under certain conditions, achieve local privilege escalation.
Description
-----------
dnsmasq is an open-source networking tool that provides DNS forwarding, DHCP,
and network boot services for small-to-medium sized networks and home routing
devices. It can also function as a DNS resolver, which is the primary
exploitation use case for several of the vulnerabilities described below,
tracked collectively as CVE-2026-2291, CVE-2026-4890, CVE-2026-4891,
CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172.
CVE-2026-2291
dnsmasq's extract_name() function can be abused to cause a heap buffer
overflow, enabling an attacker to inject false DNS cache entries. This could
cause DNS queries to be redirected to attacker-controlled IP addresses or
result in a Denial of Service (DoS).
CVE-2026-4890
An infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote
attackers to cause Denial of Service (DoS) conditions via a crafted DNS packet.
CVE-2026-4891
A heap-based out-of-bounds read vulnerability in the DNSSEC validation of
dnsmasq allows remote attackers to leak memory information via a crafted DNS
packet.
CVE-2026-4892
A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of
dnsmasq allows local attackers to execute arbitrary code with root privileges
via a crafted DHCPv6 packet.
CVE-2026-4893
An information disclosure vulnerability in dnsmasq allows remote attackers to
bypass source checks via a crafted DNS packet containing RFC 7871 client-subnet
information.
CVE-2026-5172
A buffer overflow vulnerability in dnsmasq’s extract_addresses() function
allows attackers to trigger a heap out-of-bounds read and crash dnsmasq by
exploiting a malformed DNS response.
Impact
------
These vulnerabilities collectively pose various risks:
DoS (CVE-2026-2291, CVE-2026-4890, CVE-2026-5172) — dnsmasq may crash or
become unresponsive, terminating DNS resolution and affecting dependent
services.
Cache Poisoning / Redirection (CVE-2026-2291, CVE-2026-4893) — Attackers
may overwrite cache entries or manipulate response routing, enabling the
silent redirection of users to malicious domains.
Information Disclosure (CVE-2026-4891, CVE-2026-4893) — Internal memory
and network information may be inadvertently exposed.
Local Privilege Escalation (CVE-2026-4892) — A local attacker may execute
arbitrary code as root via DHCPv6 manipulation.
Solution
--------
dnsmasq has released version 2.93 to fix the above vulnerabilities, and
various vendors have published patches to address individual remediations.
A full list of affected vendors and vendor patches can be found in the
References section below. This note, as well as the CVE listings, will be
updated as additional patches become available.
Acknowledgements
----------------
Thank you to the reporters for discovering these vulnerabilities:
* Hugo Martinez ([email protected]) - CVE-2026-5172, CVE-2026-2291
* Andrew Fasano (NIST) - CVE-2026-2291
* Royce M ([email protected]) - CVE-2026-4893, CVE-2026-4892, CVE-2026-4891,
CVE-2026-4890, CVE-2026-2291
* Asim Viladi Oglu Manizada - CVE-2026-4892
* Mattia Ricciardi (mindless) - CVE-2026-2291
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
