Six vulnerabilities were identified in the Dnsmasq package, which combines a caching DNS resolver, a DHCP server, an IPv6 route announcement service, and a network boot system. These vulnerabilities allow for root code execution, domain redirection, process memory discovery, and service crashes. The issues are fixed in dnsmasq 2.92rel2. Fixes are also available as patches.
Issues identified:
- CVE-2026-4892 is a buffer overflow in the DHCPv6 implementation that allows an attacker with local network access to execute code with root privileges by sending a specially crafted DHCPv6 packet. The overflow occurs because the DHCPv6 CLID is written to the buffer without taking into account that the packet stores the data in hexadecimal notation, which uses three "%xx" bytes for each actual CLID byte (for example, storing a 1000-byte CLID would result in 3000 bytes being written).
- CVE-2026-2291 – A buffer overflow in the extract_name() function allows an attacker to insert bogus entries into the DNS cache and cause a redirect. domain to another IP address. The overflow occurred due to buffer allocation without taking into account the escaping of certain characters in the internal representation of the domain name in dnsmasq.
- CVE-2026-4893 is an information leak that allows bypassing DNS verification by sending a specially crafted DNS packet containing client subnet information (RFC 7871). This vulnerability can be used to reroute DNS responses and redirect users to the attacker's domain. The vulnerability is caused by passing the OPT record length to the check_source() function instead of the packet length, causing the function to always return a successful verification result.
- CVE-2026-4891 - An out-of-bounds read vulnerability in DNSSEC validation results in a memory leak in the response when processing a specially crafted DNS query.
- CVE-2026-4890 – A DNSSEC validation loop could result in a denial of service via a specially crafted DNS packet.
- CVE-2026-5172 - An out-of-bounds read in the extract_addresses() function leads to a crash when processing specially crafted DNS responses.
The status of vulnerability fixes in distributions can be assessed on these pages (if the page is unavailable, it means the distribution developers have not yet begun to address the issue): Debian, Ubuntu, SUSE, RHEL, Gentoo, Arch, Fedora, OpenWRT, FreeBSD. The Dnsmasq project is involved in the platform. Android and specialized distributions such as OpenWrt and DD-WRT, as well as in the firmware of wireless routers from many manufacturers. In standard distributions, Dnsmasq can be installed when using libvirt to provide DNS service in virtual machines or activated in the NetworkManager configurator.
Source: opennet.ru
