High severity7.3NVD Advisory· Published May 11, 2026· Updated May 13, 2026
CVE-2026-2291
CVE-2026-2291
Description
dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
10- osv-coords9 versionspkg:apk/chainguard/dnsmasqpkg:apk/chainguard/dnsmasq-docpkg:apk/wolfi/dnsmasqpkg:apk/wolfi/dnsmasq-docpkg:rpm/almalinux/dnsmasqpkg:rpm/almalinux/dnsmasq-utilspkg:rpm/opensuse/dnsmasq&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5
< 2.93-r0+ 8 more
- (no CPE)range: < 2.93-r0
- (no CPE)range: < 2.93-r0
- (no CPE)range: < 2.93-r0
- (no CPE)range: < 2.93-r0
- (no CPE)range: < 2.90-7.el10_2
- (no CPE)range: < 2.90-7.el10_2
- (no CPE)range: < 2.92rel2-1.1
- (no CPE)range: < 2.92rel2-18.27.1
- (no CPE)range: < 2.92rel2-18.27.1
Patches
Vulnerability mechanics
References
7- github.com/NixOS/nixpkgs/pull/519082nvd
- github.com/NixOS/nixpkgs/pull/519093nvd
- github.com/pi-hole/FTL/releases/tag/v6.6.2nvd
- lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.htmlnvd
- thekelleys.org.uk/dnsmasq/CVE/nvd
- www.kb.cert.org/vuls/id/471747nvd
- www.suse.com/security/cve/CVE-2026-2291.htmlnvd
News mentions
1- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026