Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN479 _____________________________________________________________________ DATE : 12/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running dnsmasq versions prior to 2.92rel2. ===================================================================== https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html https://www.kb.cert.org/vuls/id/471747 _____________________________________________________________________ Today, 11th May 2026 CERT is releasing a set of six CVEs for serious security vulnerabilities in dnsmasq. These are all long-standing bugs which apply to pretty much all non-ancient versions. The CVE has been pre-disclosed to vendors, so hopefully they will be releasing patched versions of their dnsmasq packages in a timely manner. Details and patches are available on the website at https://thekelleys.org.uk/dnsmasq/CVE/ and I have made "2.92rel2" release of the current 2.92 dnsmasq stable release which is downloadable from the usual place and has had these patches applied. At the same time, the commits which fix these bugs in the development tree will be uploaded. Some of these use the same patches as the backports, but some are more comprehensive re-writes to tackle root-causes. There has been something of a revolution in AI-based security research, and I've spent a lot of time over the last couple of months dealing with bug reports, weeding duplicates (so many duplicates!) and triaging bugs into those which need vendor pre-disclosure and those which it's better to make public and fix immediately. Those judgements have been necessarily subjective, but given the number of times "good guys" have found these bugs, there's no doubt that "bad guys" have been able to do the same, so long embargoes seem kind of pointless. There's also the problem that the amount of time and effort, for all actors, needed to co-ordinate an embargo and provide backports is huge. I think the priority for most bugs is to fix them going forward, and have new dnsmasq releases as bug-free as possible. To this end, you may have noticed that there have been a lot of security-fix commits to the git repo in the weeks prior to this announcement. I will shortly tag dnsmasq-2.93rc1 and the aim is to get a stable 2.93 release done ASAP. Testing of release candidate by members here is important and I'd like to encourage anyone who can to do that as soon as they can. With luck, 2.93 could be out in a week or so. The tsunami of AI-generated bug reports shows no signs of stopping, so it is likely that this process will have to be repeated again soon. There's a tension between getting as much as possible of the ongoing bug stream fixed in 2.93 and it's timely release. I plan to prioritise timeliness, and keep working after that as necessary. Simon. _____________________________________________________________________ dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation Vulnerability Note VU#471747 Original Release Date: 2026-05-11 | Last Revised: 2026-05-11 Overview dnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code execution flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. dnsmasq has released version 2.92rel2 to fix the vulnerabilities. Description dnsmasq is an open-source networking tool that provides DNS forwarding, DHCP, and network boot services for small-to-medium sized networks and home routing devices. It can also function as a DNS resolver, which is the primary exploitation use case for several of the vulnerabilities described below, tracked collectively as CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172. CVE-2026-2291 dnsmasq's extract_name() function can be abused to cause a heap buffer overflow, enabling an attacker to inject false DNS cache entries. This could cause DNS queries to be redirected to attacker-controlled IP addresses or result in a Denial of Service (DoS). CVE-2026-4890 An infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote attackers to cause Denial of Service (DoS) conditions via a crafted DNS packet. CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to leak memory information via a crafted DNS packet. CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet. CVE-2026-4893 An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet containing RFC 7871 client-subnet information. CVE-2026-5172 A buffer overflow vulnerability in dnsmasq’s extract_addresses() function allows attackers to trigger a heap out-of-bounds read and crash dnsmasq by exploiting a malformed DNS response. Impact These vulnerabilities collectively pose various risks: DoS (CVE-2026-2291, CVE-2026-4890, CVE-2026-5172) — dnsmasq may crash or become unresponsive, terminating DNS resolution and affecting dependent services. Cache Poisoning / Redirection (CVE-2026-2291, CVE-2026-4893) — Attackers may overwrite cache entries or manipulate response routing, enabling the silent redirection of users to malicious domains. Information Disclosure (CVE-2026-4891, CVE-2026-4893) — Internal memory and network information may be inadvertently exposed. Local Privilege Escalation (CVE-2026-4892) — A local attacker may execute arbitrary code as root via DHCPv6 manipulation. Solution dnsmasq has released version 2.92rel2 to fix the above vulnerabilities, and various vendors have published patches to address individual remediations. A full list of affected vendors and vendor patches can be found in the References section below. This note, as well as the CVE listings, will be updated as additional patches become available. Acknowledgements Thank you to the reporters for discovering these vulnerabilities: * Hugo Martinez (hugomray@gmail.com) - CVE-2026-5172, CVE-2026-2291 * Andrew Fasano (NIST) - CVE-2026-2291 * Royce M (royce@xchglabs.com) - CVE-2026-4893, CVE-2026-4892, CVE-2026-4891, CVE-2026-4890, CVE-2026-2291 * Asim Viladi Oglu Manizada - CVE-2026-4892 * Mattia Ricciardi (mindless) - CVE-2026-2291 This document was written by Christopher Cullen and Molly Jaconski. Special thanks to Simon Kelly of dnsmasq and all participating vendors for their prompt engagement and coordination efforts. Vendor Information Arch Linux Affected Notified: 2026-02-12 Updated: 2026-05-11 Statement Date: February 13, 2026 CVE-2026-2291 Affected CVE-2026-4890 Unknown CVE-2026-4891 Unknown CVE-2026-4892 Unknown CVE-2026-4893 Unknown CVE-2026-5172 Unknown Vendor Statement We have not received a statement from the vendor. NixOS Affected Notified: 2026-02-12 Updated: 2026-05-11 Statement Date: May 11, 2026 CVE-2026-2291 Affected CVE-2026-4890 Affected CVE-2026-4891 Affected CVE-2026-4892 Affected CVE-2026-4893 Affected CVE-2026-5172 Affected Vendor Statement We have not received a statement from the vendor. References https://github.com/NixOS/nixpkgs/pull/519082 https://github.com/NixOS/nixpkgs/pull/519093 Pi-Hole Affected Notified: 2026-02-12 Updated: 2026-05-11 Statement Date: March 30, 2026 CVE-2026-2291 Affected CVE-2026-4890 Affected CVE-2026-4891 Affected CVE-2026-4892 Affected CVE-2026-4893 Affected CVE-2026-5172 Affected Vendor Statement We have not received a statement from the vendor. Red Hat Affected Notified: 2026-02-11 Updated: 2026-05-11 Statement Date: February 11, 2026 CVE-2026-2291 Affected CVE-2026-4890 Unknown CVE-2026-4891 Unknown CVE-2026-4892 Unknown CVE-2026-4893 Unknown CVE-2026-5172 Unknown Vendor Statement We have not received a statement from the vendor. SUSE Linux Affected Notified: 2026-02-12 Updated: 2026-05-11 Statement Date: February 16, 2026 CVE-2026-2291 Affected CVE-2026-4890 Unknown CVE-2026-4891 Unknown CVE-2026-4892 Unknown CVE-2026-4893 Unknown CVE-2026-5172 Unknown Vendor Statement SUSE dnsmasq is affected by this vulnerability. References https://www.suse.com/security/cve/CVE-2026-2291.html Ubuntu Affected Notified: 2026-02-12 Updated: 2026-05-11 Statement Date: March 30, 2026 CVE-2026-2291 Affected CVE-2026-4890 Affected CVE-2026-4891 Affected CVE-2026-4892 Affected CVE-2026-4893 Affected CVE-2026-5172 Unknown Vendor Statement We have not received a statement from the vendor. Wind River Affected Notified: 2026-02-12 Updated: 2026-05-11 Statement Date: February 18, 2026 CVE-2026-2291 Affected CVE-2026-4890 Unknown CVE-2026-4891 Unknown CVE-2026-4892 Unknown CVE-2026-4893 Unknown CVE-2026-5172 Unknown Vendor Statement We have not received a statement from the vendor. Arista Networks Not Affected Notified: 2026-02-12 Updated: 2026-05-11 Statement Date: April 13, 2026 CVE-2026-2291 Not Affected CVE-2026-4890 Not Affected CVE-2026-4891 Not Affected CVE-2026-4892 Not Affected CVE-2026-4893 Not Affected CVE-2026-5172 Not Affected Vendor Statement Arista Networks examined the CVE details provided. We do not believe ourselves to be vulnerable to the issues because we are either not running impacted versions or we are not using the impacted features on versions we are using where the vulnerability is present. Synology Unknown Notified: 2026-02-12 Updated: 2026-05-11 Statement Date: May 05, 2026 CVE-2026-2291 Unknown Vendor Statement: Our versions range from 2.73 to 2.89, and the DNSSEC feature was not enabled at build time. CVE-2026-4890 Unknown Vendor Statement: Our versions range from 2.73 to 2.89, and the DNSSEC feature was not enabled at build time. CVE-2026-4891 Unknown Vendor Statement: Our versions range from 2.73 to 2.89, and the DNSSEC feature was not enabled at build time. CVE-2026-4892 Unknown CVE-2026-4893 Unknown CVE-2026-5172 Unknown Vendor Statement: Only versions 2.90 and later are affected; we use a version earlier than 2.90. AlmaLinux OS Foundation Unknown Notified: 2026-02-12 Updated: 2026-05-11 CVE-2026-2291 Unknown CVE-2026-4890 Unknown CVE-2026-4891 Unknown CVE-2026-4892 Unknown CVE-2026-4893 Unknown CVE-2026-5172 Unknown Vendor Statement We have not received a statement from the vendor. Alpine Linux Unknown Amazon Unknown ASUSTeK Computer Inc. Unknown Cisco Unknown Debian GNU/Linux Unknown dnsmasq Unknown FreeBSD Unknown Gentoo Linux Unknown Google Unknown libvirt Unknown Marconi Inc. Unknown Micro Focus Unknown Microsoft Unknown NETGEAR Unknown Openwall GNU/*/Linux Unknown Oracle Corporation Unknown Rocky Linux Unknown Slackware Linux Inc. Unknown Tizen Unknown TP-LINK Unknown Turbolinux Unknown Univention Unknown VMware Unknown References https://thekelleys.org.uk/dnsmasq/doc.html https://www.suse.com/security/cve/CVE-2026-2291.html https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html https://thekelleys.org.uk/dnsmasq/CVE/ https://thekelleys.org.uk/dnsmasq/LATEST_IS_2.92rel2 https://github.com/pi-hole/FTL/releases/tag/v6.6.2 https://github.com/NixOS/nixpkgs/pull/519093 https://github.com/NixOS/nixpkgs/pull/519082 Other Information CVE IDs: CVE-2026-2291 CVE-2026-4890 CVE-2026-4891 CVE-2026-4892 CVE-2026-4893 CVE-2026-5172 API URL: VINCE JSON | CSAF Date Public: 2026-05-11 Date First Published: 2026-05-11 Date Last Updated: 2026-05-11 19:55 UTC Document Revision: 4 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================