{
  "schema_version": "1.7.0",
  "id": "MGASA-2026-0135",
  "published": "2026-05-14T02:43:25Z",
  "modified": "2026-05-14T01:42:37Z",
  "summary": "Updated dnsmasq packages fix security vulnerabilities",
  "details": "CVE-2026-2291: dnsmasqs extract_name() function can be abused to cause a\nheap buffer overflow, allowing an attacker to inject false DNS cache\nentries, which could result in DNS lookups to redirect to an\nattacker-controlled IP address, or to cause a DoS.\n        CVE-2026-4890: A Denial of Service (DoS) vulnerability in the\nDNSSEC validation of dnsmasq allows remote attackers to cause a denial\nof service via a crafted DNS packet.\n        CVE-2026-4891: A heap-based out-of-bounds read vulnerability in\nthe DNSSEC validation of dnsmasq allows remote attackers to cause a\ndenial of service via a crafted DNS packet.\n        CVE-2026-4892: A heap-based out-of-bounds write vulnerability in\nthe DHCPv6 implementation of dnsmasq allows local attackers to execute\narbitrary code with root privileges via a crafted DHCPv6 packet.\n        CVE-2026-4893: An information disclosure vulnerability in\ndnsmasq allows remote attackers to bypass source checks via a crafted\nDNS packet with RFC 7871 client subnet information.\n        CVE-2026-5172: A buffer overflow in dnsmasq’s\nextract_addresses() function allows an attacker to trigger a heap\nout-of-bounds read and crash by exploiting a malformed DNS response,\nenabling extract_name() to advance the pointer past the record’s end.\n",
  "upstream": [
    "CVE-2026-2291",
    "CVE-2026-4890",
    "CVE-2026-4891",
    "CVE-2026-4892",
    "CVE-2026-4893",
    "CVE-2026-5172"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2026-0135.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=35520"
    },
    {
      "type": "WEB",
      "url": "https://thekelleys.org.uk/dnsmasq/CHANGELOG"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:9",
        "name": "dnsmasq",
        "purl": "pkg:rpm/mageia/dnsmasq?arch=source&distro=mageia-9"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.92rel2-1.mga9"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}