Simon Kelley reports:
Today, 11th May 2026 CERT is releasing a set of six CVEs for serious
security vulnerabilities in dnsmasq. These are all long-standing
bugs
which apply to pretty much all non-ancient versions.
Christopher Cullen and Molly Jaconski write, in Vulnerability Note
VU#471747:
- CVE-2026-2291
-
dnsmasq's
extract_name() function can be abused to
cause a heap buffer overflow, enabling an attacker to inject false
DNS cache entries. This could cause DNS queries to be redirected
to attacker-controlled IP addresses or result in a Denial of
Service (DoS).
- CVE-2026-4890
-
An infinite-loop flaw in the DNSSEC validation of dnsmasq allows
remote attackers to cause Denial of Service (DoS) conditions via a
crafted DNS packet.
- CVE-2026-4891
-
A heap-based out-of-bounds read vulnerability in the DNSSEC
validation of dnsmasq allows remote attackers to leak memory
information via a crafted DNS packet.
- CVE-2026-4892
-
A heap-based out-of-bounds write vulnerability in the DHCPv6
implementation of dnsmasq allows local attackers to execute
arbitrary code with root privileges via a crafted DHCPv6 packet.
- CVE-2026-4893
-
An information disclosure vulnerability in dnsmasq allows remote
attackers to bypass source checks via a crafted DNS packet
containing RFC 7871 client-subnet information.
- CVE-2026-5172
-
A buffer overflow vulnerability in dnsmasq’s
extract_addresses() function
allows attackers to trigger a heap out-of-bounds read and crash
dnsmasq by exploiting a malformed DNS response.