Skip to main content

CISA issues update on dnsmasq vulnerabilities enabling DoS and code execution

May 11, 2026

dnsmasq contains multiple memory safety and input validation vulnerabilities that can enable cache poisoning or redirection, cause dnsmasq to crash or become unresponsive, and under certain conditions allow local privilege escalation.

The vulnerabilities include CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172. dnsmasq’s extract_name() function can be abused to cause a heap buffer overflow, enabling injection of false DNS cache entries, which could redirect DNS queries to attacker-controlled IP addresses or result in a DoS. An infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote attackers to cause DoS via a crafted DNS packet. A heap-based out-of-bounds read in DNSSEC validation allows remote attackers to leak memory information via a crafted DNS packet. A heap-based out-of-bounds write in the DHCPv6 implementation allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet. An information disclosure issue in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet containing RFC 7871 client-subnet information. A buffer overflow in the extract_addresses() function allows attackers to trigger a heap out-of-bounds read and crash dnsmasq by exploiting a malformed DNS response.

Collectively, the listed issues pose multiple risks. For DoS, dnsmasq may crash or become unresponsive, terminating DNS resolution and affecting dependent services. For cache poisoning/redirection, attackers may overwrite cache entries or manipulate response routing, enabling silent redirection of users to malicious domains. For information disclosure, internal memory and network information may be inadvertently exposed. For local privilege escalation, a local attacker may execute arbitrary code as root via DHCPv6 manipulation.

dnsmasq has released version 2.93 to fix the above vulnerabilities. Various vendors have published patches to address individual remediations, and a full list of affected vendors and vendor patches is referenced as available in the advisory’s References section. The note and CVE listings will be updated as additional patches become available.

The guidance in the advisory points readers to the References section for affected vendors and vendor patches, and to the CVE listings for the specific vulnerability entries associated with these issues. It also provides the documentation URL for dnsmasq at https://thekelleys.org.uk/dnsmasq/doc.html and a vendor CVE page for https://www.suse.com/security/cve/CVE-2026-2291.html. CVE details links are listed for CVE-2026-2291, CVE-2026-4893, CVE-2026-5172, CVE-2026-4890, CVE-2026-4892, and CVE-2026-4891 under NVD URLs.