Skip to main content

dnsmasq CVE-2026-4892

| EUVDEUVD-2026-29154 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-05-11 certcc GHSA-m62j-63mf-xr95
8.4
CVSS 3.1 · Vendor: certcc
Share

Severity by source

Vendor (certcc) PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (certcc).

CVSS VectorVendor: certcc

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
May 11, 2026 - 19:46 vuln.today
Analysis Generated
May 11, 2026 - 19:46 vuln.today
CVSS changed
May 11, 2026 - 19:22 NVD
8.4 (HIGH)
CVE Published
May 11, 2026 - 16:47 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 16:47 nvd
HIGH 8.4

DescriptionCVE.org

A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.

AnalysisAI

Heap-based buffer overflow in dnsmasq's DHCPv6 implementation enables local attackers to execute arbitrary code with root privileges. Affects dnsmasq 2.93 (and potentially earlier 2.92 branch based on NixOS patching activity). CERT/CC issued VU#471747, and upstream published CVE-specific advisory at thekelleys.org.uk/dnsmasq/CVE/. NixOS patch activity (PR #519082, #519093) indicates real-world remediation effort. No CISA KEV listing or public POC identified at time of analysis, suggesting limited active exploitation despite high CVSS 8.4 score.

Technical ContextAI

dnsmasq is a lightweight DNS forwarder and DHCP/DHCPv6 server commonly deployed in Linux distributions, routers, and embedded systems. The vulnerability resides in DHCPv6 packet parsing logic (CWE unspecified, but classic heap buffer overflow). CPE string cpe:2.3:a:dnsmasq:dnsmasq:*:*:*:*:*:*:*:* indicates broad applicability across dnsmasq installations. DHCPv6 operates over UDP port 547, handling IPv6 address allocation and network configuration. Heap-based out-of-bounds writes typically occur when packet length fields are not validated before copying data into fixed-size heap buffers, allowing attacker-controlled data beyond allocated memory. In privileged network services like dnsmasq (often runs as root for low-port binding), memory corruption directly yields root code execution.

RemediationAI

Upgrade to dnsmasq 2.92rel2 or later, confirmed by NixOS packaging changes in GitHub PR #519082 and #519093 (https://github.com/NixOS/nixpkgs/pull/519082). Official vendor guidance expected at https://thekelleys.org.uk/dnsmasq/CVE/. For distributions, monitor vendor security advisories: NixOS already patched, Debian/Ubuntu/RHEL advisories pending. If immediate patching is not feasible and DHCPv6 is not required, disable DHCPv6 functionality via dnsmasq configuration (remove --enable-ra or --dhcp-range IPv6 directives, restart service) - side effect: breaks IPv6 address autoconfiguration for clients, acceptable if IPv4-only or static IPv6 used. If DHCPv6 required, restrict dnsmasq network exposure using firewall rules to accept UDP 547 only from trusted management networks, not general client VLANs - this limits local attack surface but does not eliminate risk from compromised trusted hosts. Verify patch application by checking dnsmasq version (dnsmasq --version) and reviewing https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html for upstream confirmation.

CVE-2017-14492 CRITICAL POC
9.8 Oct 03

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execut

CVE-2017-14491 CRITICAL POC
9.8 Oct 04

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execut

CVE-2017-13704 HIGH
7.5 Oct 03

In dnsmasq before 2.78, if the DNS packet size does not match the expected size, the size parameter in a memset call get

CVE-2017-14495 HIGH POC
7.5 Oct 03

Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote

CVE-2017-14496 HIGH POC
7.5 Oct 03

Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-su

CVE-2017-14493 CRITICAL POC
9.8 Oct 03

Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execu

CVE-2017-14494 MEDIUM POC
5.9 Oct 03

dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vect

CVE-2019-14513 HIGH POC
7.5 Aug 01

Improper bounds checking in Dnsmasq before 2.76 allows an attacker controlled DNS server to send large DNS packets that

CVE-2015-3294 MEDIUM POC
6.4 May 08

The tcp_request function in Dnsmasq before 2.73rc4 does not properly handle the return value of the setup_reply function

CVE-2013-0198 MEDIUM POC
5.0 Mar 05

Dnsmasq before 2.66test2, when used with certain libvirt configurations, replies to queries from prohibited interfaces,

CVE-2021-3448 MEDIUM POC
4.0 Apr 08

A flaw was found in dnsmasq in versions before 2.85. Rated medium severity (CVSS 4.0), this vulnerability is remotely ex

CVE-2026-4890 HIGH
7.5 May 11

Remote unauthenticated attackers can crash dnsmasq DNS servers via crafted packets exploiting DNSSEC validation logic. T

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

CVE-2026-4892 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy