Re: dnsmasq vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation

[Sam James <sam () gentoo org>]

Alan Coopersmith <alan.coopersmith () oracle com> writes:

> https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html
> announces:
> > Today, 11th May 2026 CERT is releasing a set of six CVEs for serious
> > security vulnerabilities in dnsmasq. These are all long-standing
> > bugs which apply to pretty much all non-ancient versions. The CVE
> > has been pre-disclosed to vendors, so hopefully they will be
> > releasing patched versions of their dnsmasq packages in a timely
> > manner.
> > Details and patches are available on the website at
> > https://thekelleys.org.uk/dnsmasq/CVE/
> > and I have made "2.92rel2" release of the current 2.92 dnsmasq
> > stable release which is downloadable from the usual place and has
> > had these patches applied.
> >
> > [...]
> >
> > Thank you to the reporters for discovering these vulnerabilities:
> > * Hugo Martinez (hugomray () gmail com) - CVE-2026-5172, CVE-2026-2291
> > * Andrew Fasano (NIST) - CVE-2026-2291
> > * Royce M (royce () xchglabs com) - CVE-2026-4893, CVE-2026-4892, CVE-2026-4891,
> >   CVE-2026-4890, CVE-2026-2291

Writeup for these 5 is available at https://xchglabs.com/blog/dnsmasq-five-cves.html

> > * Asim Viladi Oglu Manizada - CVE-2026-4892
> > * Mattia Ricciardi (mindless) - CVE-2026-2291

Attachment: signature.asc
Description: