CVE-2026-2291

Vulnerability

The extract_name() function in dnsmasq fails to properly validate input, leading to a heap buffer overflow. This bug is rooted in an inadequate check on the size of domain names being processed, where the on-heap namebuffer is sized for the wire form (MAXDNAME) rather than the potentially larger escaped internal form (`MAXDNAME*2+1) [4]. An attacker can exploit this mismatch to write beyond the allocated buffer [1][2].

Exploitation

The vulnerability is network-accessible, requiring no authentication or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) [1]. A remote peer that can send or answer DNS queries can trigger the overflow; no special network position is needed. The flaw is present in essentially all non-ancient versions of dnsmasq, making it a widespread threat [3].

Impact

Successful exploitation enables an attacker to inject false DNS cache entries, redirecting subsequent DNS lookups to attacker-controlled IP addresses. This can lead to the interception of sensitive data, man-in-the-middle attacks, or further compromise. Additionally, the overflow can be used to cause a denial of service by crashing the dnsmasq crash) [1][2]. The issue is part of a heap out-of-bounds write, as confirmed by the Pi-hole advisory [4].

Mitigation

The dnsmasq project has released version 2.92rel2 to fix all six related CVEs, and patches are available from the official repository [3]. Vendors such as SUSE have published security advisories and updated packages [1]. Downstream projects like Pi-hole have incorporated the fix in release v6.6.2 [4]. Users should upgrade their dnsmasq instance immediately.