| Package | dnsmasq |
|---|---|
| Version | 2.76-5+deb9u6 (stretch), 2.80-1+deb10u4 (buster) |
| Related CVEs | CVE-2026-2291 CVE-2026-4890 CVE-2026-4891 CVE-2026-4892 CVE-2026-4893 |
Several vulnerabilities have been discovered in dnsmasq, a caching DNS proxy and DHCP/TFTP server.
CVE-2026-2291
dnsmasqs extract_name() function can be abused to cause a heap buffer
overflow, allowing an attacker to inject false DNS cache entries,
which could result in DNS lookups to redirect to an
attacker-controlled IP address, or to cause a DoS.
CVE-2026-4890
A Denial of Service (DoS) vulnerability in the DNSSEC validation of
dnsmasq allows remote attackers to cause a denial of service via a
crafted DNS packet.
Debian Stretch has not been affected by this, due to disabled DNSSEC.
CVE-2026-4891
A heap-based out-of-bounds read vulnerability in the DNSSEC validation
of dnsmasq allows remote attackers to cause a denial of service via a
crafted DNS packet.
Debian Stretch has not been affected by this, due to disabled DNSSEC.
CVE-2026-4892
A heap-based out-of-bounds write vulnerability in the DHCPv6
implementation of dnsmasq allows local attackers to execute arbitrary
code with root privileges via a crafted DHCPv6 packet.
CVE-2026-4893
An information disclosure vulnerability in dnsmasq allows remote
attackers to bypass source checks via a crafted DNS packet with RFC
7871 client subnet information.
For Debian 10 buster, these problems have been fixed in version 2.80-1+deb10u4.
For Debian 9 stretch, these problems have been fixed in version 2.76-5+deb9u6.
We recommend that you upgrade your dnsmasq packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.