oss-sec mailing list archives
dnsmasq vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Mon, 11 May 2026 11:11:39 -0700
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html announces:
Today, 11th May 2026 CERT is releasing a set of six CVEs for serious security vulnerabilities in dnsmasq. These are all long-standing bugs which apply to pretty much all non-ancient versions. The CVE has been pre-disclosed to vendors, so hopefully they will be releasing patched versions of their dnsmasq packages in a timely manner.Details and patches are available on the website at https://thekelleys.org.uk/dnsmasq/CVE/and I have made "2.92rel2" release of the current 2.92 dnsmasq stable release which is downloadable from the usual place and has had these patches applied.At the same time, the commits which fix these bugs in the development tree will be uploaded. Some of these use the same patches as the backports, but some are more comprehensive re-writes to tackle root-causes.There has been something of a revolution in AI-based security research, and I've spent a lot of time over the last couple of months dealing with bug reports, weeding duplicates (so many duplicates!) and triaging bugs into those which need vendor pre-disclosure and those which it's better to make public and fix immediately. Those judgements have been necessarily subjective, but given the number of times "good guys" have found these bugs, there's no doubt that "bad guys" have been able to do the same, so long embargoes seem kind of pointless. There's also the problem that the amount of time and effort, for all actors, needed to co-ordinate an embargo and provide backports is huge. I think the priority for most bugs is to fix them going forward, and have new dnsmasq releases as bug-free as possible. To this end, you may have noticed that there have been a lot of security-fix commits to the git repo in the weeks prior to this announcement.I will shortly tag dnsmasq-2.93rc1 and the aim is to get a stable 2.93 release done ASAP. Testing of release candidate by members here is important and I'd like to encourage anyone who can to do that as soon as they can. With luck, 2.93 could be out in a week or so.The tsunami of AI-generated bug reports shows no signs of stopping, so it is likely that this process will have to be repeated again soon. There's a tension between getting as much as possible of the ongoing bug stream fixed in 2.93 and it's timely release. I plan to prioritise timeliness, and keep working after that as necessary.Simon.
https://www.kb.cert.org/vuls/id/471747 provides additional details:
dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation Vulnerability Note VU#471747 Original Release Date: 2026-05-11 | Last Revised: 2026-05-11 Overview -------- dnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code execution flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. Description ----------- dnsmasq is an open-source networking tool that provides DNS forwarding, DHCP, and network boot services for small-to-medium sized networks and home routing devices. It can also function as a DNS resolver, which is the primary exploitation use case for several of the vulnerabilities described below, tracked collectively as CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172. CVE-2026-2291 dnsmasq's extract_name() function can be abused to cause a heap buffer overflow, enabling an attacker to inject false DNS cache entries. This could cause DNS queries to be redirected to attacker-controlled IP addresses or result in a Denial of Service (DoS). CVE-2026-4890 An infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote attackers to cause Denial of Service (DoS) conditions via a crafted DNS packet. CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to leak memory information via a crafted DNS packet. CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet. CVE-2026-4893 An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet containing RFC 7871 client-subnet information. CVE-2026-5172 A buffer overflow vulnerability in dnsmasq’s extract_addresses() function allows attackers to trigger a heap out-of-bounds read and crash dnsmasq by exploiting a malformed DNS response. Impact ------ These vulnerabilities collectively pose various risks: DoS (CVE-2026-2291, CVE-2026-4890, CVE-2026-5172) — dnsmasq may crash or become unresponsive, terminating DNS resolution and affecting dependent services. Cache Poisoning / Redirection (CVE-2026-2291, CVE-2026-4893) — Attackers may overwrite cache entries or manipulate response routing, enabling the silent redirection of users to malicious domains. Information Disclosure (CVE-2026-4891, CVE-2026-4893) — Internal memory and network information may be inadvertently exposed. Local Privilege Escalation (CVE-2026-4892) — A local attacker may execute arbitrary code as root via DHCPv6 manipulation. Solution -------- dnsmasq has released version 2.93 to fix the above vulnerabilities, and various vendors have published patches to address individual remediations. A full list of affected vendors and vendor patches can be found in the References section below. This note, as well as the CVE listings, will be updated as additional patches become available. Acknowledgements ---------------- Thank you to the reporters for discovering these vulnerabilities: * Hugo Martinez (hugomray () gmail com) - CVE-2026-5172, CVE-2026-2291 * Andrew Fasano (NIST) - CVE-2026-2291 * Royce M (royce () xchglabs com) - CVE-2026-4893, CVE-2026-4892, CVE-2026-4891, CVE-2026-4890, CVE-2026-2291 * Asim Viladi Oglu Manizada - CVE-2026-4892 * Mattia Ricciardi (mindless) - CVE-2026-2291
--
-Alan Coopersmith- alan.coopersmith () oracle com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- dnsmasq vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation Alan Coopersmith (May 11)