{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/471747#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\ndnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code execution flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. dnsmasq has released version 2.92rel2 to fix the vulnerabilities.\r\n\r\n### Description\r\ndnsmasq is an open-source networking tool that provides DNS forwarding, DHCP, and network boot services for small-to-medium sized networks and home routing devices. It can also function as a DNS resolver, which is the primary exploitation use case for several of the vulnerabilities described below, tracked collectively as CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172.\r\n\r\n**CVE-2026-2291**\r\ndnsmasq's `extract_name()` function can be abused to cause a heap buffer overflow, enabling an attacker to inject false DNS cache entries. This could cause DNS queries to be redirected to attacker-controlled IP addresses or result in a Denial of Service (DoS).\r\n\r\n**CVE-2026-4890**\r\nAn infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote attackers to cause Denial of Service (DoS) conditions via a crafted DNS packet.\r\n\r\n**CVE-2026-4891**\r\nA heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to leak memory information via a crafted DNS packet.\r\n\r\n**CVE-2026-4892**\r\nA heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.\r\n\r\n**CVE-2026-4893**\r\nAn information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet containing RFC 7871 client-subnet information.\r\n\r\n**CVE-2026-5172**\r\nA buffer overflow vulnerability in dnsmasq’s `extract_addresses()` function allows attackers to trigger a heap out-of-bounds read and crash dnsmasq by exploiting a malformed DNS response.\r\n\r\n### Impact\r\nThese vulnerabilities collectively pose various risks:\r\n\r\n**DoS** (CVE-2026-2291, CVE-2026-4890, CVE-2026-5172) — dnsmasq may crash or become unresponsive, terminating DNS resolution and affecting dependent services.\r\n\r\n**Cache Poisoning / Redirection** (CVE-2026-2291, CVE-2026-4893) — Attackers may overwrite cache entries or manipulate response routing, enabling the silent redirection of users to malicious domains.\r\n\r\n**Information Disclosure** (CVE-2026-4891, CVE-2026-4893) — Internal memory and network information may be inadvertently exposed.\r\n\r\n**Local Privilege Escalation** (CVE-2026-4892) — A local attacker may execute arbitrary code as root via DHCPv6 manipulation.\r\n\r\n### Solution\r\ndnsmasq has released version 2.92rel2 to fix the above vulnerabilities, and various vendors have published patches to address individual remediations. A full list of affected vendors and vendor patches can be found in the References section below. This note, as well as the CVE listings, will be updated as additional patches become available.\r\n\r\n### Acknowledgements\r\nThank you to the reporters for discovering these vulnerabilities:\r\n* Hugo Martinez (hugomray@gmail.com) - CVE-2026-5172, CVE-2026-2291\r\n* Andrew Fasano (NIST) - CVE-2026-2291\r\n* Royce M (royce@xchglabs.com) - CVE-2026-4893, CVE-2026-4892, CVE-2026-4891, CVE-2026-4890, CVE-2026-2291\r\n* Asim Viladi Oglu Manizada - CVE-2026-4892\r\n* Mattia Ricciardi (mindless) - CVE-2026-2291\r\n\r\nThis document was written by Christopher Cullen and Molly Jaconski. Special thanks to Simon Kelly of dnsmasq and all participating vendors for their prompt engagement and coordination efforts.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"SUSE dnsmasq is affected by this vulnerability.","title":"Vendor statment from SUSE Linux"},{"category":"other","text":"Arista Networks examined the CVE details provided. We do not believe ourselves to be vulnerable to the issues because we are either not running impacted versions or we are not using the impacted features on versions we are using where the vulnerability is present.","title":"Vendor statment from Arista Networks"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/471747"},{"url":"https://thekelleys.org.uk/dnsmasq/doc.html","summary":"https://thekelleys.org.uk/dnsmasq/doc.html"},{"url":"https://www.suse.com/security/cve/CVE-2026-2291.html","summary":"https://www.suse.com/security/cve/CVE-2026-2291.html"},{"url":"https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html","summary":"https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html"},{"url":"https://thekelleys.org.uk/dnsmasq/CVE/","summary":"https://thekelleys.org.uk/dnsmasq/CVE/"},{"url":"https://thekelleys.org.uk/dnsmasq/LATEST_IS_2.92rel2","summary":"https://thekelleys.org.uk/dnsmasq/LATEST_IS_2.92rel2"},{"url":"https://github.com/NixOS/nixpkgs/pull/519082","summary":"Reference(s) from vendor \"NixOS\""},{"url":"https://github.com/NixOS/nixpkgs/pull/519093","summary":"Reference(s) from vendor \"NixOS\""},{"url":"https://www.suse.com/security/cve/CVE-2026-2291.html","summary":"Reference(s) from vendor \"SUSE Linux\""}],"title":"dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation","tracking":{"current_release_date":"2026-05-11T18:26:13+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.39"}},"id":"VU#471747","initial_release_date":"2026-05-11 16:49:35.805527+00:00","revision_history":[{"date":"2026-05-11T18:26:13+00:00","number":"1.20260511182613.3","summary":"Released on 2026-05-11T18:26:13+00:00"}],"status":"final","version":"1.20260511182613.3"}},"vulnerabilities":[{"title":"dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.","notes":[{"category":"summary","text":"dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS."}],"cve":"CVE-2026-2291","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#471747"}],"product_status":{"known_affected":["CSAFPID-4285edb6-4d67-11f1-9ad6-1264d018803b","CSAFPID-42862646-4d67-11f1-9ad6-1264d018803b","CSAFPID-42865d64-4d67-11f1-9ad6-1264d018803b","CSAFPID-428692e8-4d67-11f1-9ad6-1264d018803b","CSAFPID-4286cb5a-4d67-11f1-9ad6-1264d018803b","CSAFPID-42870052-4d67-11f1-9ad6-1264d018803b","CSAFPID-42873950-4d67-11f1-9ad6-1264d018803b"],"known_not_affected":["CSAFPID-4287a296-4d67-11f1-9ad6-1264d018803b"]}},{"title":"An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information.","notes":[{"category":"summary","text":"An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information."}],"cve":"CVE-2026-4893","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#471747"}],"product_status":{"known_affected":["CSAFPID-42884480-4d67-11f1-9ad6-1264d018803b","CSAFPID-42887be4-4d67-11f1-9ad6-1264d018803b","CSAFPID-4288b2d0-4d67-11f1-9ad6-1264d018803b"],"known_not_affected":["CSAFPID-4288f0b0-4d67-11f1-9ad6-1264d018803b"]}},{"title":"A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end.","notes":[{"category":"summary","text":"A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end."}],"cve":"CVE-2026-5172","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#471747"}],"product_status":{"known_affected":["CSAFPID-428959d8-4d67-11f1-9ad6-1264d018803b","CSAFPID-42899056-4d67-11f1-9ad6-1264d018803b"],"known_not_affected":["CSAFPID-4289c684-4d67-11f1-9ad6-1264d018803b"]}},{"title":"A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.","notes":[{"category":"summary","text":"A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet."}],"cve":"CVE-2026-4890","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#471747"}],"product_status":{"known_affected":["CSAFPID-428a68b4-4d67-11f1-9ad6-1264d018803b","CSAFPID-428aa34c-4d67-11f1-9ad6-1264d018803b","CSAFPID-428ad84e-4d67-11f1-9ad6-1264d018803b"],"known_not_affected":["CSAFPID-428b0d1e-4d67-11f1-9ad6-1264d018803b"]}},{"title":"A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.","notes":[{"category":"summary","text":"A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet."}],"cve":"CVE-2026-4892","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#471747"}],"product_status":{"known_affected":["CSAFPID-428baf58-4d67-11f1-9ad6-1264d018803b","CSAFPID-428be4f0-4d67-11f1-9ad6-1264d018803b","CSAFPID-428c18c6-4d67-11f1-9ad6-1264d018803b"],"known_not_affected":["CSAFPID-428c4e04-4d67-11f1-9ad6-1264d018803b"]}},{"title":"A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.","notes":[{"category":"summary","text":"A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet."}],"cve":"CVE-2026-4891","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#471747"}],"product_status":{"known_affected":["CSAFPID-428cb6dc-4d67-11f1-9ad6-1264d018803b","CSAFPID-428cedb4-4d67-11f1-9ad6-1264d018803b","CSAFPID-428d2324-4d67-11f1-9ad6-1264d018803b"],"known_not_affected":["CSAFPID-428d592a-4d67-11f1-9ad6-1264d018803b"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-4285edb6-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"NixOS","product":{"name":"NixOS Products","product_id":"CSAFPID-42862646-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Pi-Hole","product":{"name":"Pi-Hole Products","product_id":"CSAFPID-42865d64-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Arch Linux","product":{"name":"Arch Linux Products","product_id":"CSAFPID-428692e8-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Ubuntu","product":{"name":"Ubuntu Products","product_id":"CSAFPID-4286cb5a-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"SUSE Linux","product":{"name":"SUSE Linux Products","product_id":"CSAFPID-42870052-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Wind River","product":{"name":"Wind River Products","product_id":"CSAFPID-42873950-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"NETGEAR","product":{"name":"NETGEAR Products","product_id":"CSAFPID-42876da8-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Arista Networks","product":{"name":"Arista Networks Products","product_id":"CSAFPID-4287a296-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Synology","product":{"name":"Synology Products","product_id":"CSAFPID-4287d84c-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"NixOS","product":{"name":"NixOS Products","product_id":"CSAFPID-42884480-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Pi-Hole","product":{"name":"Pi-Hole Products","product_id":"CSAFPID-42887be4-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Ubuntu","product":{"name":"Ubuntu Products","product_id":"CSAFPID-4288b2d0-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Arista Networks","product":{"name":"Arista Networks Products","product_id":"CSAFPID-4288f0b0-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"NixOS","product":{"name":"NixOS Products","product_id":"CSAFPID-428959d8-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Pi-Hole","product":{"name":"Pi-Hole Products","product_id":"CSAFPID-42899056-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Arista Networks","product":{"name":"Arista Networks Products","product_id":"CSAFPID-4289c684-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Synology","product":{"name":"Synology Products","product_id":"CSAFPID-4289fbea-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"NixOS","product":{"name":"NixOS Products","product_id":"CSAFPID-428a68b4-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Pi-Hole","product":{"name":"Pi-Hole Products","product_id":"CSAFPID-428aa34c-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Ubuntu","product":{"name":"Ubuntu Products","product_id":"CSAFPID-428ad84e-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Arista Networks","product":{"name":"Arista Networks Products","product_id":"CSAFPID-428b0d1e-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Synology","product":{"name":"Synology Products","product_id":"CSAFPID-428b42fc-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"NixOS","product":{"name":"NixOS Products","product_id":"CSAFPID-428baf58-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Pi-Hole","product":{"name":"Pi-Hole Products","product_id":"CSAFPID-428be4f0-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Ubuntu","product":{"name":"Ubuntu Products","product_id":"CSAFPID-428c18c6-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Arista Networks","product":{"name":"Arista Networks Products","product_id":"CSAFPID-428c4e04-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"NixOS","product":{"name":"NixOS Products","product_id":"CSAFPID-428cb6dc-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Pi-Hole","product":{"name":"Pi-Hole Products","product_id":"CSAFPID-428cedb4-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Ubuntu","product":{"name":"Ubuntu Products","product_id":"CSAFPID-428d2324-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Arista Networks","product":{"name":"Arista Networks Products","product_id":"CSAFPID-428d592a-4d67-11f1-9ad6-1264d018803b"}},{"category":"vendor","name":"Synology","product":{"name":"Synology Products","product_id":"CSAFPID-428d8fa8-4d67-11f1-9ad6-1264d018803b"}}]}}