dnsmasq Memory Safety Vulnerabilities Advisory: CVE-2026-2291, CVE-2026-4890-4893, CVE-2026-5172

Vulnerability Overview Vulnerability ID: VU#471747 Publication Date: 2026-05-11 Last Updated: 2026-05-12 Vulnerability Description: contains multiple memory safety and input validation vulnerabilities, including heap buffer overflow, heap corruption, and code execution flaws. These vulnerabilities allow attackers to poison cached DNS records, bypass security controls, crash the process, or achieve local privilege escalation under specific conditions. Version 2.92rel2 of has been released to remediate these vulnerabilities. Impact Scope DoS (CVE-2026-2291, CVE-2026-4890, CVE-2026-5172): may crash or become unresponsive, terminating DNS resolution and affecting dependent services. Cache Poisoning/Redirection (CVE-2026-2291, CVE-2026-4893): Attackers may overwrite cache entries or manipulate response routing to silently redirect users to malicious domains. Information Disclosure (CVE-2026-4891, CVE-2026-4893): Internal memory and network information may be inadvertently exposed. Local Privilege Escalation (CVE-2026-4892): A local attacker may execute arbitrary code as root by manipulating DHCPv6. Remediation Version 2.92rel2 of has been released to remediate the above vulnerabilities. Vendors have issued patches addressing individual fixes. A complete list of affected vendors and vendor-specific patches can be found in the References section. This advisory and the CVE list will be updated as additional patches become available. Affected Vendors Arch Linux NixOS Pi-Hole Red Hat SUSE Linux Ubuntu Wind River Arista Networks (Not Affected) Synology (Unknown) AlmaLinux OS Foundation (Unknown) References https://thekelleys.org.uk/dnsmasq/doc.html https://www.suse.com/security/cve/CVE-2026-2291.html https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html https://thekelleys.org.uk/dnsmasq/CVE/ https://thekelleys.org.uk/dnsmasq/LATEST_IS_2.92rel2 https://github.com/pi-hole/FTL/releases/tag/v6.6.2 https://github.com/NixOS/nixpkgs/pull/519093 https://github.com/NixOS/nixpkgs/pull/519082 Additional Information CVE IDs: CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, CVE-2026-5172 API URL: VINC JSON Public Disclosure Date: 2026-05-11 First Published Date: 2026-05-11 Last Update Date: 2026-05-12 16:49 UTC Document Revision: 5 Acknowledgments Thanks to the following reporters for discovering these vulnerabilities: Hugo Martinez (hugomar@gmail.com) - CVE-2026-5172, CVE-2026-2291 Andrew Fasano (NIST) - CVE-2026-2291 Royce M (royce@xchglabs.com) - CVE-2026-4893, CVE-2026-4892, CVE-2026-4891, CVE-2026-4890, CVE-2026-2291 Asim Viladi Oglu Manizada - CVE-2026-4892 Mattia Ricciardi (mindless) - CVE-2026-2291 This document was authored by Christopher Cullen and Molly Jaconski. Special thanks to Simon Kelly for and to all participating vendors for their timely involvement and coordinated efforts.

Goal Reached Thanks to every supporter — we hit 100%!

dnsmasq Memory Safety Vulnerabilities Advisory: CVE-2026-2291, CVE-2026-4890-4893, CVE-2026-5172