{"vuid":"VU#471747","idnumber":"471747","name":"dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation","keywords":null,"overview":"### Overview\r\ndnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code execution flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. dnsmasq has released version 2.92rel2 to fix the vulnerabilities.\r\n\r\n### Description\r\ndnsmasq is an open-source networking tool that provides DNS forwarding, DHCP, and network boot services for small-to-medium sized networks and home routing devices. It can also function as a DNS resolver, which is the primary exploitation use case for several of the vulnerabilities described below, tracked collectively as CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172.\r\n\r\n**CVE-2026-2291**\r\ndnsmasq's `extract_name()` function can be abused to cause a heap buffer overflow, enabling an attacker to inject false DNS cache entries. This could cause DNS queries to be redirected to attacker-controlled IP addresses or result in a Denial of Service (DoS).\r\n\r\n**CVE-2026-4890**\r\nAn infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote attackers to cause Denial of Service (DoS) conditions via a crafted DNS packet.\r\n\r\n**CVE-2026-4891**\r\nA heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to leak memory information via a crafted DNS packet.\r\n\r\n**CVE-2026-4892**\r\nA heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.\r\n\r\n**CVE-2026-4893**\r\nAn information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet containing RFC 7871 client-subnet information.\r\n\r\n**CVE-2026-5172**\r\nA buffer overflow vulnerability in dnsmasq’s `extract_addresses()` function allows attackers to trigger a heap out-of-bounds read and crash dnsmasq by exploiting a malformed DNS response.\r\n\r\n### Impact\r\nThese vulnerabilities collectively pose various risks:\r\n\r\n**DoS** (CVE-2026-2291, CVE-2026-4890, CVE-2026-5172) — dnsmasq may crash or become unresponsive, terminating DNS resolution and affecting dependent services.\r\n\r\n**Cache Poisoning / Redirection** (CVE-2026-2291, CVE-2026-4893) — Attackers may overwrite cache entries or manipulate response routing, enabling the silent redirection of users to malicious domains.\r\n\r\n**Information Disclosure** (CVE-2026-4891, CVE-2026-4893) — Internal memory and network information may be inadvertently exposed.\r\n\r\n**Local Privilege Escalation** (CVE-2026-4892) — A local attacker may execute arbitrary code as root via DHCPv6 manipulation.\r\n\r\n### Solution\r\ndnsmasq has released version 2.92rel2 to fix the above vulnerabilities, and various vendors have published patches to address individual remediations. A full list of affected vendors and vendor patches can be found in the References section below. This note, as well as the CVE listings, will be updated as additional patches become available.\r\n\r\n### Acknowledgements\r\nThank you to the reporters for discovering these vulnerabilities:\r\n* Hugo Martinez (hugomray@gmail.com) - CVE-2026-5172, CVE-2026-2291\r\n* Andrew Fasano (NIST) - CVE-2026-2291\r\n* Royce M (royce@xchglabs.com) - CVE-2026-4893, CVE-2026-4892, CVE-2026-4891, CVE-2026-4890, CVE-2026-2291\r\n* Asim Viladi Oglu Manizada - CVE-2026-4892\r\n* Mattia Ricciardi (mindless) - CVE-2026-2291\r\n\r\nThis document was written by Christopher Cullen and Molly Jaconski. Special thanks to Simon Kelly of dnsmasq and all participating vendors for their prompt engagement and coordination efforts.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://thekelleys.org.uk/dnsmasq/doc.html","https://www.suse.com/security/cve/CVE-2026-2291.html","https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html","https://thekelleys.org.uk/dnsmasq/CVE/","https://thekelleys.org.uk/dnsmasq/LATEST_IS_2.92rel2","https://github.com/pi-hole/FTL/releases/tag/v6.6.2","https://github.com/NixOS/nixpkgs/pull/519093","https://github.com/NixOS/nixpkgs/pull/519082"],"cveids":["CVE-2026-4891","CVE-2026-4892","CVE-2026-4890","CVE-2026-5172","CVE-2026-4893","CVE-2026-2291"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-05-11T16:49:36.647708Z","publicdate":"2026-05-11T16:49:35.805527Z","datefirstpublished":"2026-05-11T16:49:36.659326Z","dateupdated":"2026-05-11T19:55:24.526268Z","revision":4,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":195}