Blog / Security

Dnsmasq 6 Critical CVEs: Full Security Guide (2026)

Published: 2026-05-13 • Category: Security / DNS / DevOps

Overview

On May 11, 2026, CERT publicly disclosed six critical CVEs in dnsmasq, the lightweight DNS forwarder and DHCP server used across countless Linux distributions, embedded devices, IoT systems, Kubernetes clusters, and container environments. The vulnerabilities affect nearly all non-ancient versions of dnsmasq, making this one of the most significant open source security advisories of 2026.

Maintainer Simon Kelley released dnsmasq 2.92rel2 with patches for all six CVEs and has announced that the stable 2.93 release is in preparation.

Why This Matters

Dnsmasq is one of the most widely deployed pieces of network infrastructure software in the world. It powers:

The breadth of deployment means these CVEs have an exceptionally wide blast radius. Any system running dnsmasq without the latest patches is potentially exploitable.

The Six CVEs

CVE-2026-2291: Buffer Overflow in struct bigname

Type: Heap Buffer Overflow
Reported by: Andrew S. Fasano, Royce M (XCHG Labs), Hugo Martinez Ray, Xander Mackenzie (TrendAI Zero Day Initiative)

A buffer overflow vulnerability in the struct bigname handling within dnsmasq's DNS responder. An attacker sending a specially crafted DNS query can cause a write beyond the allocated buffer, potentially leading to remote code execution or denial of service. The bigname structure is used to store oversized domain names during query processing, and the bounds checking was insufficient to prevent overflow.

CVE-2026-4890: NSEC Bitmap Parsing Infinite Loop

Type: Infinite Loop / Denial of Service
Reported by: Royce M (XCHG Labs)

This CVE covers two related parsing problems, one of which was coincidentally partially mitigated in release 2.92. A malformed NSEC record can cause dnsmasq to enter an infinite loop while parsing the type bitmap, effectively causing a denial of service. NSEC records are part of DNSSEC and are processed when DNSSEC validation is enabled — but the parsing vulnerability exists regardless of whether DNSSEC validation is active.

CVE-2026-4891: RRSIG rdlen Validation Failure

Type: Crash / Potential Code Execution
Reported by: Royce M (XCHG Labs), Mike Cole (RedPath Security)

Missing validation of the rdlen field in RRSIG resource records. An attacker can supply an RRSIG record with a crafted length field, causing dnsmasq to read or write out of bounds during signature verification. This affects all versions handling DNSSEC-signed responses.

CVE-2026-4892: Buffer Overflow in helper.c with Large CLIDs

Type: Stack Buffer Overflow
Reported by: Royce M (XCHG Labs), Asim Viladi Oglu Manizada

A buffer overflow in helper.c triggered by oversized DHCP client identifiers (CLIDs). When dnsmasq operates as a DHCP server and receives a DHCP request with a very large client ID, the insufficiently bounded copy operation can overflow a stack buffer, potentially enabling remote code execution on the DHCP server.

CVE-2026-4893: Broken Client Subnet Validation

Type: Input Validation / Logic Error
Reported by: Royce M (XCHG Labs)

A flaw in client subnet (EDNS Client Subnet) handling. The validation logic for the client subnet option in EDNS0 was broken, allowing malformed subnet data to bypass sanity checks. This could lead to information disclosure, cache poisoning, or potentially more severe impacts depending on network configuration.

CVE-2026-5172: Buffer Overflow in extract_addresses()

Type: Heap Buffer Overflow
Reported by: Hugo Martinez Ray

A buffer overflow in the extract_addresses() function, which processes address information from DHCP lease files and similar sources. Malformed input can trigger a heap-based overflow, potentially leading to remote code execution.

The AI Bug Discovery Revolution

In his advisory email, Simon Kelley made an astonishing admission: "There has been something of a revolution in AI-based security research." He noted that he spent the last couple of months dealing with bug reports, weeding duplicates ("so many duplicates!"), and triaging bugs.

Many of these CVEs were discovered using AI-powered security tooling. Royce M from XCHG Labs appears on four of the six CVE credit lists — a clear signal that systematic AI-driven vulnerability hunting is producing results at scale.

Kelley also addressed the embargo challenge directly: "Given the number of times 'good guys' have found these bugs, there's no doubt that 'bad guys' have been able to do the same, so long embargoes seem kind of pointless." This reflects a fundamental shift in vulnerability disclosure: AI makes finding bugs so cheap that both offensive and defensive researchers are likely to discover the same flaws independently, making lengthy coordinated disclosure periods less meaningful.

Patching and Mitigation

Immediate Action: Upgrade to dnsmasq 2.92rel2

Simon Kelley released dnsmasq 2.92rel2 on May 11, 2026, which patches all six CVEs. Individual patches are also available at https://thekelleys.org.uk/dnsmasq/CVE/.

Upcoming: dnsmasq 2.93 Stable

Dnsmasq 2.93rc1 (release candidate) has been tagged, with the stable 2.93 release expected within a week. Some fixes in 2.93 are more comprehensive rewrites addressing root causes, not just backports.

Check Your Distribution

Temporary Mitigations

If you cannot patch immediately, consider:

Important: These are temporary mitigations. Patching is the only complete fix.

Infrastructure Impact Analysis

The most dangerous aspect of this disclosure is the combination of CVEs that cover different attack surfaces (DNS response parsing, DHCP serving, both stack and heap overflows, and DoS vectors). An attacker targeting a dnsmasq instance can choose from multiple entry points depending on what services the instance exposes:

This diversity of attack vectors means that even if you've locked down one path, others may remain open.

The "AI Tsunami" of Bug Reports

Kelley's mailing list post provided a rare honest look at the maintainer's perspective in the age of AI-powered vulnerability research:

"The tsunami of AI-generated bug reports shows no signs of stopping, so it is likely that this process will have to be repeated again soon. There's a tension between getting as much as possible of the ongoing bug stream fixed in 2.93 and its timely release. I plan to prioritise timeliness, and keep working after that as necessary."

This is the new reality for open source maintainers. AI tools dramatically lower the cost of finding bugs, but they also generate massive volumes of reports — many duplicates or false positives — that maintainers must triage. The dnsmasq 2.93 release strategy (ship quickly, keep fixing) may become the standard approach across the open source ecosystem.

Conclusion

The dnsmasq 6 CVE disclosure marks a watershed moment in several ways: it demonstrates the power of AI-driven vulnerability research (eight discoverers across six CVEs), it prompted an unusually candid discussion about embargo philosophy from a maintainer, and it provides a case study in how the open source ecosystem is adapting to the new pace of security research.

If you run dnsmasq anywhere in your infrastructure, patch now. The patches are available, the exploits are likely being developed (if they don't already exist), and the AI tools that discovered these bugs are available to both sides.