ELA-1772-1 dnsmasq security update

multiple vulnerabilities

2026-07-14
Packagednsmasq
Version2.76-5+deb9u6 (stretch), 2.80-1+deb10u4 (buster)
Related CVEs CVE-2026-2291 CVE-2026-4890 CVE-2026-4891 CVE-2026-4892 CVE-2026-4893


Several vulnerabilities have been discovered in dnsmasq, a caching DNS proxy and DHCP/TFTP server.

CVE-2026-2291

dnsmasqs extract_name() function can be abused to cause a heap buffer
overflow, allowing an attacker to inject false DNS cache entries,
which could result in DNS lookups to redirect to an
attacker-controlled IP address, or to cause a DoS.

CVE-2026-4890

A Denial of Service (DoS) vulnerability in the DNSSEC validation of
dnsmasq allows remote attackers to cause a denial of service via a
crafted DNS packet.

Debian Stretch has not been affected by this, due to disabled DNSSEC.

CVE-2026-4891

A heap-based out-of-bounds read vulnerability in the DNSSEC validation
of dnsmasq allows remote attackers to cause a denial of service via a
crafted DNS packet.

Debian Stretch has not been affected by this, due to disabled DNSSEC.

CVE-2026-4892

A heap-based out-of-bounds write vulnerability in the DHCPv6
implementation of dnsmasq allows local attackers to execute arbitrary
code with root privileges via a crafted DHCPv6 packet.

CVE-2026-4893

An information disclosure vulnerability in dnsmasq allows remote
attackers to bypass source checks via a crafted DNS packet with RFC
7871 client subnet information.


For Debian 10 buster, these problems have been fixed in version 2.80-1+deb10u4.

For Debian 9 stretch, these problems have been fixed in version 2.76-5+deb9u6.

We recommend that you upgrade your dnsmasq packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.