Updated dnsmasq packages fix security vulnerabilities
Publication date: 14 May 2026Modification date: 14 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-2291 , CVE-2026-4890 , CVE-2026-4891 , CVE-2026-4892 , CVE-2026-4893 , CVE-2026-5172
Description
CVE-2026-2291: dnsmasqs extract_name() function can be abused to cause a
heap buffer overflow, allowing an attacker to inject false DNS cache
entries, which could result in DNS lookups to redirect to an
attacker-controlled IP address, or to cause a DoS.
CVE-2026-4890: A Denial of Service (DoS) vulnerability in the
DNSSEC validation of dnsmasq allows remote attackers to cause a denial
of service via a crafted DNS packet.
CVE-2026-4891: A heap-based out-of-bounds read vulnerability in
the DNSSEC validation of dnsmasq allows remote attackers to cause a
denial of service via a crafted DNS packet.
CVE-2026-4892: A heap-based out-of-bounds write vulnerability in
the DHCPv6 implementation of dnsmasq allows local attackers to execute
arbitrary code with root privileges via a crafted DHCPv6 packet.
CVE-2026-4893: An information disclosure vulnerability in
dnsmasq allows remote attackers to bypass source checks via a crafted
DNS packet with RFC 7871 client subnet information.
CVE-2026-5172: A buffer overflow in dnsmasq’s
extract_addresses() function allows an attacker to trigger a heap
out-of-bounds read and crash by exploiting a malformed DNS response,
enabling extract_name() to advance the pointer past the record’s end.
References
- https://bugs.mageia.org/show_bug.cgi?id=35520
- https://thekelleys.org.uk/dnsmasq/CHANGELOG
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2291
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4890
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4891
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4892
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4893
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5172
SRPMS
9/core
- dnsmasq-2.92rel2-1.mga9