SB2026051245 - Multiple vulnerabilities in Dnsmasq

Description

This security bulletin contains information about 6 vulnerabilities.

1) Out-of-bounds write (CVE-ID: CVE-2026-2291)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds write in struct bigname when processing DNS queries or DNS responses containing large domain names. A remote attacker can send a specially crafted DNS query or response to cause a denial of service.

2) Input validation error (CVE-ID: CVE-2026-4890)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in NSEC bitmap parsing in dnssec.c when processing crafted DNSSEC NSEC or NSEC3 records. A remote attacker can send a specially crafted DNS response to cause a denial of service.

No valid DNSSEC signatures are needed because the issue is reachable before RRSIG validation.

3) Out-of-bounds read (CVE-ID: CVE-2026-5172)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in extract_addresses() when parsing a DNS resource record with a falsified rdlen value. A remote attacker can send a specially crafted DNS packet to cause a denial of service.

The issue occurs because extract_name() can advance the record pointer past the calculated end of the resource record, causing the remaining-length calculation to underflow.

4) Input validation error (CVE-ID: CVE-2026-4893)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass client subnet source validation.

The vulnerability exists due to improper input validation in check_source() handling in process_reply() when processing DNS replies with the --add-subnet feature enabled. A remote attacker can send a specially crafted DNS reply to bypass client subnet source validation.

Only configurations with --add-subnet enabled are vulnerable.

5) Stack-based buffer overflow (CVE-ID: CVE-2026-4892)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to stack-based buffer overflow in helper.c when processing oversized DHCPv6 CLIDs for the --dhcp-script helper path. A remote attacker can send a specially crafted DHCPv6 client identifier to execute arbitrary code.

Only configurations with --dhcp-script enabled are vulnerable, and the helper process retains root privileges.

6) Input validation error (CVE-ID: CVE-2026-4891)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in RRSIG packet handling in dnssec.c when processing crafted RRSIG records with an undersized rdlen value. A remote attacker can send a specially crafted DNS response to cause a denial of service.

Remediation

Install update from vendor's website.

References

• https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html
• https://thekelleys.org.uk/dnsmasq/CVE/CVE-2026-2291.diff
• https://thekelleys.org.uk/dnsmasq/CVE/CVE-2026-4890.dnsmasq-2.92.diff
• https://thekelleys.org.uk/dnsmasq/CVE/CVE-2026-5172.diff
• https://thekelleys.org.uk/dnsmasq/CVE/CVE-2026-4893.diff
• https://thekelleys.org.uk/dnsmasq/CVE/CVE-2026-4892.diff
• https://thekelleys.org.uk/dnsmasq/CVE/CVE-2026-4891.diff