dnsmasq Vulnerability Allows Unauthenticated Remote Code Execution
A critical heap-based buffer overflow in dnsmasq, CVE-2026-2291, allows unauthenticated remote attackers to execute arbitrary code.

The Zero Day Initiative (ZDI) has disclosed a critical vulnerability, CVE-2026-2291, affecting the widely used dnsmasq network utility. This flaw allows remote attackers to execute arbitrary code on vulnerable systems without requiring any form of authentication, posing a significant risk to network infrastructure.
The vulnerability stems from an issue within the parsing of CNAME (Canonical Name) records. Specifically, dnsmasq fails to properly validate the length of user-supplied data before copying it into a heap-based buffer. This oversight can be exploited by an attacker to overwrite adjacent memory, leading to a heap-based buffer overflow and ultimately enabling the execution of malicious code within the context of the dnsmasq service.
With a CVSS score of 8.1, this vulnerability is classified as critical, highlighting the severity of the potential impact. Successful exploitation could lead to a complete compromise of the affected systems, allowing attackers to install programs, view, alter, or delete data, and create new accounts with full user rights.
Exploitation does not require any user interaction, making it particularly dangerous for internet-facing services. Attackers could scan for vulnerable dnsmasq instances and exploit them remotely, potentially leading to widespread compromise of devices running the software.
The issue has been addressed by the dnsmasq project through commit ec2fbbd (https://dnsmasq.org/CVE/CVE-2026-2291.credit). Users are strongly advised to update their dnsmasq installations to the patched version as soon as possible to mitigate the risk.
The vulnerability was initially reported to the vendor on March 31, 2026, with a coordinated public release of the advisory on July 15, 2026. The advisory was updated on the same day. The discovery and reporting of this flaw are credited to Xander Mackenzie.
dnsmasq is a lightweight DNS forwarder and DHCP server commonly used in embedded devices, routers, and small networks. Its widespread deployment means that a vulnerability like CVE-2026-2291 could affect a large number of devices, from consumer routers to enterprise network appliances.
This disclosure underscores the ongoing threat posed by vulnerabilities in core network infrastructure components. Organizations should maintain a robust patch management process and regularly review their network devices for known security flaws, especially those that allow for unauthenticated remote code execution.