Six vulnerabilities were identified in the Dnsmasq package, which combines a caching DNS resolver, a DHCP server, an IPv6 route announcement service, and a network boot system. These vulnerabilities allow for root code execution, domain redirection, process memory discovery, and service crashes. The issues are fixed in dnsmasq 2.92rel2. Fixes are also available as patches.
Issues identified:
- CVE-2026-4892 is a buffer overflow in the DHCPv6 implementation that allows an attacker with local network access to execute code with root privileges by sending a specially crafted DHCPv6 packet. The overflow occurs because the DHCPv6 CLID is written to the buffer without taking into account that the packet stores the data in hexadecimal notation, which uses three "%xx" bytes for each actual CLID byte (for example, storing a 1000-byte CLID would result in 3000 bytes being written).
- CVE-2026-2291 — A buffer overflow in the extract_name() function allows an attacker to insert bogus records into the DNS cache and redirect a domain to a different IP address. The overflow occurred due to a buffer allocation that failed to properly escape certain characters in the internal representation of a domain name in dnsmasq.
- CVE-2026-4893 is an information leak that allows bypassing DNS verification by sending a specially crafted DNS packet containing client subnet information (RFC 7871). This vulnerability can be used to reroute DNS responses and redirect users to the attacker's domain. The vulnerability is caused by passing the OPT record length to the check_source() function instead of the packet length, causing the function to always return a successful verification result.
- CVE-2026-4891 - An out-of-bounds read vulnerability in DNSSEC validation results in a memory leak in the response when processing a specially crafted DNS query.
- CVE-2026-4890 – A DNSSEC validation loop could result in a denial of service via a specially crafted DNS packet.
- CVE-2026-5172 - An out-of-bounds read in the extract_addresses() function leads to a crash when processing specially crafted DNS responses.
The vulnerability fix status for distributions can be assessed on the following pages (if a page is unavailable, the distribution's developers have not yet begun investigating the issue): Debian, Ubuntu, SUSE, RHEL, Gentoo, Arch, Fedora, OpenWRT, and FreeBSD. The Dnsmasq project is used in the Android platform and specialized distributions such as OpenWrt and DD-WRT, as well as in the firmware of wireless routers from many manufacturers. In standard distributions, Dnsmasq can be installed when using libvirt to provide DNS service in virtual machines or activated in the NetworkManager configurator.
Source: opennet.ru
