Skip to main content

dnsmasq CVE-2026-5172

| EUVDEUVD-2026-29156 HIGH
Out-of-bounds Read (CWE-125)
2026-05-11 certcc GHSA-57vp-ffx7-7gm6
7.3
CVSS 3.1 · Vendor: certcc
Share

Severity by source

Vendor (certcc) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (certcc).

CVSS VectorVendor: certcc

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 09:10 vuln.today
Analysis Generated
Jun 08, 2026 - 09:10 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
7.3 (HIGH)
CVE Published
May 11, 2026 - 16:48 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end.

AnalysisAI

Remote denial-of-service and limited information disclosure in dnsmasq's extract_addresses() function allows attackers controlling or able to inject DNS responses to crash the daemon by sending a malformed DNS record whose declared rdlen pushes extract_name() past the record boundary, triggering a heap out-of-bounds read. The flaw affects dnsmasq 2.93 and downstream packages from Red Hat, SUSE, Ubuntu, and Pi-hole FTL. No public exploit identified at time of analysis, EPSS exploitation probability is 0.03% (9th percentile), and CISA SSVC rates exploitation as 'none' with only partial technical impact.

Technical ContextAI

dnsmasq is a lightweight DNS forwarder and DHCP server widely deployed on Linux distributions, home routers, container networks, and ad-blocking appliances such as Pi-hole. The vulnerability resides in extract_addresses(), the routine that walks resource records (RRs) in a DNS response. When parsing an RR, dnsmasq uses each record's declared rdlen to bound the remaining buffer; a mismatched rdlen value causes the helper extract_name() to advance its pointer past the computed end of the record, underflowing the remaining-bytes calculation and producing an out-of-bounds read on heap memory. This is a classic buffer over-read (CWE-125-class issue, though no CWE was assigned in NVD data) arising from trusting attacker-controlled length fields in untrusted network input. The Pi-hole FTL release notes confirm the root cause: 'a mismatched RR rdlen allowed extract_name() to advance past the computed end of the record.'

RemediationAI

Apply vendor-released patches as soon as available: upgrade Pi-hole FTL to v6.6.2 or later (https://github.com/pi-hole/FTL/releases/tag/v6.6.2), apply Red Hat RHSA-2026:19158 (https://access.redhat.com/errata/RHSA-2026:19158), Ubuntu USN-8268-1 (https://ubuntu.com/security/notices/USN-8268-1), and the relevant SUSE-SU-2026 advisories (1934, 21640, 21677, 21733) for SUSE products. For source builds, apply the upstream patches published at https://thekelleys.org.uk/dnsmasq/CVE/ or move to the 2.92rel2-equivalent rebuild that downstream maintainers (e.g., NixOS PRs 519082/519093) have adopted; consult the upstream announcement at https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html and the CERT/CC note at https://www.kb.cert.org/vuls/id/471747. Where patching must be deferred, the most useful compensating controls are: restrict dnsmasq's upstream resolvers (--server / resolv.conf) to trusted servers reachable only over a trusted path, since this bug requires a crafted response to be parsed; place dnsmasq behind a validating resolver that drops malformed responses; firewall UDP/TCP 53 inbound to internal-only sources so that external attackers cannot directly answer recursive queries (trade-off: breaks DNS for any external clients that legitimately use the resolver); and monitor for repeated dnsmasq crash-restart cycles in supervisord/systemd logs as a detection signal. Disabling DNS forwarding entirely is a stronger but service-affecting fallback.

CVE-2017-14492 CRITICAL POC
9.8 Oct 03

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execut

CVE-2017-14491 CRITICAL POC
9.8 Oct 04

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execut

CVE-2017-13704 HIGH
7.5 Oct 03

In dnsmasq before 2.78, if the DNS packet size does not match the expected size, the size parameter in a memset call get

CVE-2017-14495 HIGH POC
7.5 Oct 03

Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote

CVE-2017-14496 HIGH POC
7.5 Oct 03

Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-su

CVE-2017-14493 CRITICAL POC
9.8 Oct 03

Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execu

CVE-2017-14494 MEDIUM POC
5.9 Oct 03

dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vect

CVE-2019-14513 HIGH POC
7.5 Aug 01

Improper bounds checking in Dnsmasq before 2.76 allows an attacker controlled DNS server to send large DNS packets that

CVE-2015-3294 MEDIUM POC
6.4 May 08

The tcp_request function in Dnsmasq before 2.73rc4 does not properly handle the return value of the setup_reply function

CVE-2013-0198 MEDIUM POC
5.0 Mar 05

Dnsmasq before 2.66test2, when used with certain libvirt configurations, replies to queries from prohibited interfaces,

CVE-2026-4892 HIGH
8.4 May 11

Heap-based buffer overflow in dnsmasq's DHCPv6 implementation enables local attackers to execute arbitrary code with roo

CVE-2021-3448 MEDIUM POC
4.0 Apr 08

A flaw was found in dnsmasq in versions before 2.85. Rated medium severity (CVSS 4.0), this vulnerability is remotely ex

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

CVE-2026-5172 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy