Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <124550bc-4540-451a-9c0a-d1d0aa951a2d@oracle.com>
Date: Mon, 11 May 2026 11:11:39 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: dnsmasq vulnerabilities, including attacker DNS
 redirect, privilege escalation, and heap manipulation

https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html 
announces:
> Today, 11th May 2026 CERT is releasing a set of six CVEs for serious 
> security vulnerabilities in dnsmasq. These are all long-standing bugs 
> which apply to pretty much all non-ancient versions. The CVE has been 
> pre-disclosed to vendors, so hopefully they will be releasing patched 
> versions of their dnsmasq packages in a timely manner.
> 
> Details and patches are available on the website at
> 
> https://thekelleys.org.uk/dnsmasq/CVE/
> 
> and I have made "2.92rel2" release of the current 2.92 dnsmasq stable 
> release which is downloadable from the usual place and has had these 
> patches applied.
> 
> At the same time, the commits which fix these bugs in the development 
> tree will be uploaded. Some of these use the same patches as the 
> backports, but some are more comprehensive re-writes to tackle root-causes.
> 
> There has been something of a revolution in AI-based security research, 
> and I've spent a lot of time over the last couple of months dealing with 
> bug reports, weeding duplicates (so many duplicates!) and triaging bugs 
> into those which need vendor pre-disclosure and those which it's better 
> to make public and fix immediately. Those judgements have been 
> necessarily subjective, but given the number of times "good guys" have 
> found these bugs, there's no doubt that "bad guys" have been able to do 
> the same, so long embargoes seem kind of pointless. There's also the 
> problem that the amount of time and effort, for all actors, needed to 
> co-ordinate an embargo and provide backports is huge. I think the 
> priority for most bugs is to fix them going forward, and have new 
> dnsmasq releases as bug-free as possible. To this end, you may have 
> noticed that there have been a lot of security-fix commits to the git 
> repo in the weeks prior to this announcement.
> 
> I will shortly tag dnsmasq-2.93rc1 and the aim is to get a stable 2.93 
> release done ASAP. Testing of release candidate by members here is 
> important and I'd like to encourage anyone who can to do that as soon as 
> they can. With luck, 2.93 could be out in a week or so.
> 
> The tsunami of AI-generated bug reports shows no signs of stopping, so 
> it is likely that this process will have to be repeated again soon. 
> There's a tension between getting as much as possible of the ongoing bug 
> stream fixed in 2.93 and it's timely release. I plan to prioritise 
> timeliness, and keep working after that as necessary.
> 
> 
> 
> Simon.

https://www.kb.cert.org/vuls/id/471747 provides additional details:
> dnsmasq contains several vulnerabilities, including attacker DNS redirect,
>  privilege escalation, and heap manipulation
> 
> Vulnerability Note VU#471747
> Original Release Date: 2026-05-11 | Last Revised: 2026-05-11
> 
> Overview
> --------
> dnsmasq is affected by multiple memory safety and input validation
> vulnerabilities, including heap buffer overflows, heap corruption, and code
> execution flaws. Collectively, these vulnerabilities enable attackers to
> poison cached DNS records, bypass security controls, crash the dnsmasq process,
> or under certain conditions, achieve local privilege escalation.
> 
> Description
> -----------
> 
> dnsmasq is an open-source networking tool that provides DNS forwarding, DHCP,
> and network boot services for small-to-medium sized networks and home routing
> devices. It can also function as a DNS resolver, which is the primary
> exploitation use case for several of the vulnerabilities described below,
> tracked collectively as CVE-2026-2291, CVE-2026-4890, CVE-2026-4891,
> CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172.
> 
> CVE-2026-2291
> dnsmasq's extract_name() function can be abused to cause a heap buffer
> overflow, enabling an attacker to inject false DNS cache entries. This could
> cause DNS queries to be redirected to attacker-controlled IP addresses or
> result in a Denial of Service (DoS).
> 
> CVE-2026-4890
> An infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote
> attackers to cause Denial of Service (DoS) conditions via a crafted DNS packet.
> 
> CVE-2026-4891
> A heap-based out-of-bounds read vulnerability in the DNSSEC validation of
> dnsmasq allows remote attackers to leak memory information via a crafted DNS
> packet.
> 
> CVE-2026-4892
> A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of
> dnsmasq allows local attackers to execute arbitrary code with root privileges
> via a crafted DHCPv6 packet.
> 
> CVE-2026-4893
> An information disclosure vulnerability in dnsmasq allows remote attackers to
> bypass source checks via a crafted DNS packet containing RFC 7871 client-subnet
> information.
> 
> CVE-2026-5172
> A buffer overflow vulnerability in dnsmasq’s extract_addresses() function
> allows attackers to trigger a heap out-of-bounds read and crash dnsmasq by
> exploiting a malformed DNS response.
> 
> Impact
> ------
> 
> These vulnerabilities collectively pose various risks:
> 
> DoS (CVE-2026-2291, CVE-2026-4890, CVE-2026-5172) — dnsmasq may crash or
> become unresponsive, terminating DNS resolution and affecting dependent
> services.
> 
> Cache Poisoning / Redirection (CVE-2026-2291, CVE-2026-4893) — Attackers
> may overwrite cache entries or manipulate response routing, enabling the
> silent redirection of users to malicious domains.
> 
> Information Disclosure (CVE-2026-4891, CVE-2026-4893) — Internal memory
> and network information may be inadvertently exposed.
> 
> Local Privilege Escalation (CVE-2026-4892) — A local attacker may execute
> arbitrary code as root via DHCPv6 manipulation.
> 
> Solution
> --------
> 
> dnsmasq has released version 2.93 to fix the above vulnerabilities, and
> various vendors have published patches to address individual remediations.
> A full list of affected vendors and vendor patches can be found in the
> References section below. This note, as well as the CVE listings, will be
> updated as additional patches become available.
> 
> Acknowledgements
> ----------------
> 
> Thank you to the reporters for discovering these vulnerabilities:
> * Hugo Martinez (hugomray@...il.com) - CVE-2026-5172, CVE-2026-2291
> * Andrew Fasano (NIST) - CVE-2026-2291
> * Royce M (royce@...glabs.com) - CVE-2026-4893, CVE-2026-4892, CVE-2026-4891,
>   CVE-2026-4890, CVE-2026-2291
> * Asim Viladi Oglu Manizada - CVE-2026-4892
> * Mattia Ricciardi (mindless) - CVE-2026-2291

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.