CVE-2026-4892

Vulnerability

Overview

CVE-2026-4892 is a heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq, a widely used networking tool for DNS forwarding and DHCP services. The root cause lies in the DHCP helper process, which is spawned with root privileges when the --dhcp-script option is enabled. Specifically, hex-encoded DHCPv6 client identifiers, which can be up to 65535 bytes in length, are written into a fixed-size 5131-byte buffer without proper bounds checking. This mismatch leads to a heap overflow condition [1][3].

Exploitation

Prerequisites

The vulnerability is exploitable by a local attacker who can send a crafted DHCPv6 packet to a dnsmasq instance that has the --dhcp-script configuration active. No prior authentication is required beyond being on the local network segment where DHCPv6 messages are accepted. The attacker must be able to inject a malicious client identifier of sufficient size to overflow the buffer. This is considered a local attack vector because the DHCPv6 client identifier is provided by the client during the lease assignment process [1][2].

Impact

A successful exploit enables the attacker to achieve arbitrary code execution with root privileges, completely compromising the affected host. This can lead to full control of the dnsmasq process and potentially the entire system, depending on the attack payload. The severity is reflected in the high CVSS v3 score of 8.4 [1].

Mitigation

A fix for CVE-2026-4892 was released by the dnsmasq maintainer in version 2.92rel2 on May 11, 2026. The patch is included as part of a larger security update addressing six CVEs. Downstream distributors such as Pi-hole and NixOS have incorporated the fix into their respective packages. Users are strongly advised to update their dnsmasq installations to the latest patched version to mitigate this vulnerability [2][3][4].