Dnsmasq: set of serious CVEs

timur.davletshin · May 12, 2026, 3:14pm

https://www.kb.cert.org/vuls/id/471747 - DoS, Cache Poisoning / Redirection, Information Disclosure, Local Privilege Escalation...

hnyman · May 12, 2026, 3:18pm

So?

github.com/openwrt/openwrt

dnsmasq: bump to v2.92rel2 (#23316)

main ← dhewg:dnsmasq

opened 08:26AM - 12 May 26 UTC

dhewg

+3 -3

version 2.92rel2 2.92 point release incorporating fixes for CVE-2026-2291 …CVE-2026-4890 CVE-2026-4891 CVE-2026-4892 CVE-2026-4893 CVE-2026-5172 CVE-2026-2291 dnsmasq's extract_name() function can be abused to cause a heap buffer overflow, enabling an attacker to inject false DNS cache entries. This could cause DNS queries to be redirected to attacker-controlled IP addresses or result in a Denial of Service (DoS). CVE-2026-4890 An infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote attackers to cause Denial of Service (DoS) conditions via a crafted DNS packet. CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to leak memory information via a crafted DNS packet. CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet. CVE-2026-4893 An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet containing RFC 7871 client-subnet information. CVE-2026-5172 A buffer overflow vulnerability in dnsmasq’s extract_addresses() function allows attackers to trigger a heap out-of-bounds read and crash dnsmasq by exploiting a malformed DNS response. https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html https://seclists.org/oss-sec/2026/q2/480 cc @hauke

timur.davletshin · May 12, 2026, 3:19pm

dave14305 · May 12, 2026, 3:45pm

What happens to 25.12 branch that is still on 2.91 but also affected? Will dnsmasq get bumped on the stable branch?

timur.davletshin · May 12, 2026, 5:12pm

@hnyman this question should be adressed to someone like you.

@dave14305 highly unlikely because 2.92 is more than just a bugfix release and contains new features and changes to DNSSEC logic.

dave14305 · May 12, 2026, 7:31pm

Maybe OpenWrt 25.12 will pick up the debian trixie patches for 2.91.

hnyman · May 12, 2026, 7:35pm

Based on the dnsmasq author's own comments, the patches should be applicable to 2.91 sources, too. Apparently only one patch needs changes compared to 2.92: https://thekelleys.org.uk/dnsmasq/CVE/

But it will require a separate patch PR to be created for 2.91 in 25.12.x.

hnyman · May 12, 2026, 8:11pm

github.com/openwrt/openwrt

[25.12] dnsmasq: apply six CVE-fix upstream patches to 2.91 (#23328)

openwrt-25.12 ← hnyman:dnsmasq291-CVE

opened 08:10PM - 12 May 26 UTC

hnyman

+218 -14

Apply upstream patches for the recently published CVEs in dnsmasq. * Source: …https://thekelleys.org.uk/dnsmasq/CVE/ * Reference: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html Compile-tested for ipq806x/R7800 Briefly run-tested with R7800. (My R7800 is a secondary router, so not the full scope of dnsmasq features is in real use)

hnyman · May 13, 2026, 3:58am

My PR has now been committed to the 25.12 branch for dnsmasq 2.91, and also to main/master with the 2.92 specific patch included. So, both new 25.12 builds and new main/master snapshot builds should be ok.

kz2o84a3m · May 13, 2026, 9:15am

Should this be backported to 24.10?

manelio · May 13, 2026, 11:27am

Thanks to everyone involved for the quick solution, dnsmasq 2.91-r3 is working!

hnyman · May 15, 2026, 5:54pm

Hauke did that: