Ddos 
In the foundational architecture of small-to-medium networks and home routing devices, dnsmasq is the open-source networking tool that quietly handles DNS forwarding, DHCP, and network boot services for millions of users. However, a new vulnerability note from CERT/CC has revealed that this critical piece of infrastructure is haunted by multiple memory safety and input validation flaws.
Collectively tracked across six CVEs (CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172), these vulnerabilities enable attackers to poison DNS caches, bypass security controls, andβin certain conditionsβachieve local privilege escalation.
The reported issues range from heap buffer overflows to infinite loops, each providing a different lever for an attacker to destabilize a network.
- DNS Cache Poisoning (CVE-2026-2291): A flaw in the extract_name() function allows attackers to trigger a heap buffer overflow. This enables the injection of false DNS cache entries, “causing DNS queries to be redirected to attacker-controlled IP addresses or resulting in a Denial of Service (DoS)”.
- The Infinite Loop (CVE-2026-4890): This vulnerability targets DNSSEC validation. By sending a specially crafted DNS packet, a remote attacker can trigger an infinite loop, effectively knocking the dnsmasq service offline.
- Root Privilege Escalation (CVE-2026-4892): Perhaps the most severe from a local perspective, this flaw allows an attacker to “execute arbitrary code with root privileges via a crafted DHCPv6 packet”.
- A heap-based out-of-bounds read vulnerability (CVE-2026-4891) in the DNSSEC validation of dnsmasq allows remote attackers to leak memory information via a crafted DNS packet.
- An information disclosure vulnerability (CVE-2026-4893) in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet containing RFC 7871 client-subnet information.
- A buffer overflow vulnerability (CVE-2026-5172) in dnsmasqβs
extract_addresses()Β function allows attackers to trigger a heap out-of-bounds read and crash dnsmasq by exploiting a malformed DNS response.
A successful exploit doesn’t just crash a router; it can redefine the network’s reality.
According to the CERT/CC note, these vulnerabilities pose several interlocking risks:
- Redirection: “Attackers may overwrite cache entries or manipulate response routing, enabling the silent redirection of users to malicious domains”.
- Information Disclosure: Flaws in DNSSEC validation and RFC 7871 handling can lead to “internal memory and network information” being inadvertently exposed to remote attackers.
- Service Termination: As dnsmasq crashes or becomes unresponsive, it terminates “DNS resolution and affecting dependent services” across the entire local network.
Because dnsmasq is often embedded deep within the firmware of home routers and IoT devices, patching can be a complex process that relies on individual hardware vendors.
The primary defense is to move to the latest version of the software. dnsmasq has released version 2.92rel2 to fix the above vulnerabilities. While various vendors have begun publishing patches for individual remediations, users are encouraged to check for firmware updates for their networking equipment immediately.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
