CVE-2026-5172

Vulnerability

Overview CVE-2026-5172 is a heap out-of-bounds read vulnerability in dnsmasq's extract_addresses() function. The root cause is a mismatched resource record (RR) rdlen value that allows extract_name() to advance the parsing pointer beyond the computed end of the record. This underflows the remaining-bytes calculation, resulting in a large out-of-bounds read that can crash the dnsmasq process [1][3].

Exploitation

A remote attacker can trigger the vulnerability by sending a malformed DNS response to a dnsmasq instance acting as a DNS resolver. No authentication or special network position is required; the attacker only needs to be able to deliver a crafted DNS packet to the target. The flaw is reachable without any prior validation, making it straightforward to exploit [1][2].

Impact

Successful exploitation causes a denial of service (DoS) by crashing the dnsmasq process. While the primary impact is service disruption, the out-of-bounds read could potentially leak memory contents under certain conditions, though the CVE description and references focus on the crash [1][3].

Mitigation

The vulnerability is fixed in dnsmasq version 2.92rel2, released on 11 May 2026 [2]. Vendors and downstream projects (e.g., Pi-hole FTL v6.6.2) have released patched versions [3]. Users should update their dnsmasq installation to the latest version or apply the vendor-supplied patch.