Skip to main content

dnsmasq CVE-2026-2291

| EUVDEUVD-2026-29091 HIGH
2026-05-11 certcc GHSA-hjxh-hmm9-wcmc
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
SUSE
HIGH
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 08:39 vuln.today
Analysis Generated
Jun 08, 2026 - 08:39 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
7.3 (HIGH)
CVE Published
May 11, 2026 - 16:47 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.

AnalysisAI

Heap buffer overflow in dnsmasq's extract_name() function allows remote attackers to write out-of-bounds on the heap, enabling DNS cache poisoning that redirects lookups to attacker-controlled IP addresses or causes denial of service. The flaw stems from a bigname namebuffer sized for wire-form domain names (MAXDNAME) instead of the larger escaped internal representation (MAXDNAME*2 + 1). EPSS is low (0.03%, 9th percentile) with no public exploit identified at time of analysis, but multiple major distributions (Red Hat, SUSE, Ubuntu) have shipped patches reflecting widespread downstream exposure.

Technical ContextAI

dnsmasq is a lightweight DNS forwarder, DHCP server, and TFTP server widely deployed on routers, embedded devices, and Linux distributions as the default local resolver. The bug lives in extract_name(), which decodes DNS wire-format labels into a human-readable escaped form (where bytes like dots or non-printables expand to multi-character escape sequences). The on-heap 'struct bigname' buffer was allocated using MAXDNAME (sufficient for the compressed wire form) rather than MAXDNAME*2 + 1 needed for the worst-case escaped output, so a sufficiently adversarial name overflows the heap allocation. Although no CWE is assigned in the input, the root cause maps to CWE-122 (heap-based buffer overflow) driven by an undersized destination buffer in name canonicalization.

RemediationAI

Patch available per vendor advisory - apply the upstream dnsmasq fixes published at thekelleys.org.uk/dnsmasq/CVE/ via your distribution. For Red Hat consume RHSA-2026:19158 or RHSA-2026:19373 (access.redhat.com/errata/RHSA-2026:19158, access.redhat.com/errata/RHSA-2026:19373); for SUSE apply SUSE-SU-2026:1826 or SUSE-SU-2026:1827; for Ubuntu install USN-8268-1; for Pi-hole upgrade FTL to v6.6.2 (github.com/pi-hole/FTL/releases/tag/v6.6.2); for NixOS use the 2.92rel2 rebuild from PR 519082/519093. If immediate patching is not possible, restrict the resolver's exposure by binding dnsmasq to trusted interfaces only with --interface or --listen-address (side effect: breaks resolution for clients on excluded networks), and place an upstream validating resolver or DNS firewall between dnsmasq and untrusted networks so adversarial responses are filtered before reaching extract_name() (side effect: added latency and operational dependency). Disabling DNS forwarding entirely with --port=0 mitigates the DNS path but disables the resolver function, so it is only viable on hosts using dnsmasq purely for DHCP/TFTP.

CVE-2017-14492 CRITICAL POC
9.8 Oct 03

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execut

CVE-2017-14491 CRITICAL POC
9.8 Oct 04

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execut

CVE-2017-13704 HIGH
7.5 Oct 03

In dnsmasq before 2.78, if the DNS packet size does not match the expected size, the size parameter in a memset call get

CVE-2017-14495 HIGH POC
7.5 Oct 03

Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote

CVE-2017-14496 HIGH POC
7.5 Oct 03

Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-su

CVE-2017-14493 CRITICAL POC
9.8 Oct 03

Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execu

CVE-2017-14494 MEDIUM POC
5.9 Oct 03

dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vect

CVE-2019-14513 HIGH POC
7.5 Aug 01

Improper bounds checking in Dnsmasq before 2.76 allows an attacker controlled DNS server to send large DNS packets that

CVE-2015-3294 MEDIUM POC
6.4 May 08

The tcp_request function in Dnsmasq before 2.73rc4 does not properly handle the return value of the setup_reply function

CVE-2013-0198 MEDIUM POC
5.0 Mar 05

Dnsmasq before 2.66test2, when used with certain libvirt configurations, replies to queries from prohibited interfaces,

CVE-2026-4892 HIGH
8.4 May 11

Heap-based buffer overflow in dnsmasq's DHCPv6 implementation enables local attackers to execute arbitrary code with roo

CVE-2021-3448 MEDIUM POC
4.0 Apr 08

A flaw was found in dnsmasq in versions before 2.85. Rated medium severity (CVSS 4.0), this vulnerability is remotely ex

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

CVE-2026-2291 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy