SB2026051898 - Ubuntu update for dnsmasq
Published: May 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2026-2291)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds write in struct bigname when processing DNS queries or DNS responses containing large domain names. A remote attacker can send a specially crafted DNS query or response to cause a denial of service.
2) Input validation error (CVE-ID: CVE-2026-4890)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in NSEC bitmap parsing in dnssec.c when processing crafted DNSSEC NSEC or NSEC3 records. A remote attacker can send a specially crafted DNS response to cause a denial of service.
No valid DNSSEC signatures are needed because the issue is reachable before RRSIG validation.
3) Input validation error (CVE-ID: CVE-2026-4891)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in RRSIG packet handling in dnssec.c when processing crafted RRSIG records with an undersized rdlen value. A remote attacker can send a specially crafted DNS response to cause a denial of service.
4) Stack-based buffer overflow (CVE-ID: CVE-2026-4892)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to stack-based buffer overflow in helper.c when processing oversized DHCPv6 CLIDs for the --dhcp-script helper path. A remote attacker can send a specially crafted DHCPv6 client identifier to execute arbitrary code.
Only configurations with --dhcp-script enabled are vulnerable, and the helper process retains root privileges.
5) Input validation error (CVE-ID: CVE-2026-4893)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass client subnet source validation.
The vulnerability exists due to improper input validation in check_source() handling in process_reply() when processing DNS replies with the --add-subnet feature enabled. A remote attacker can send a specially crafted DNS reply to bypass client subnet source validation.
Only configurations with --add-subnet enabled are vulnerable.
6) Out-of-bounds read (CVE-ID: CVE-2026-5172)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in extract_addresses() when parsing a DNS resource record with a falsified rdlen value. A remote attacker can send a specially crafted DNS packet to cause a denial of service.
The issue occurs because extract_name() can advance the record pointer past the calculated end of the resource record, causing the remaining-length calculation to underflow.
Remediation
Install update from vendor's website.