TL;DR
CERT announced six severe security vulnerabilities in dnsmasq, impacting many versions. Patches are being prepared, and vendors are expected to release updates shortly. The flaws could enable remote exploits, making immediate patching critical.
CERT has officially disclosed six critical security vulnerabilities (CVEs) affecting dnsmasq, a widely used DNS and DHCP server, prompting urgent updates from vendors and users. These vulnerabilities are confirmed to be severe and affect nearly all recent versions of dnsmasq, emphasizing the need for immediate patching to prevent potential exploits.
The CERT Coordination Center announced the release of six CVEs on May 11, 2026, targeting dnsmasq, the popular network service used for DNS and DHCP management. These vulnerabilities are described as serious and long-standing, impacting most non-ancient versions of dnsmasq. The CVEs were pre-disclosed to vendors, allowing them to prepare patches that are expected to be released soon.
Simon Kelley, a maintainer of dnsmasq, confirmed that a patched version, 2.92rel2, has been released and is available for download. This version includes fixes for the identified security flaws. Kelley also stated that the commits fixing these issues will be incorporated into the upcoming 2.93 release, which is currently in release candidate testing. The patches involve both backported fixes and more comprehensive rewrites to address root causes of the vulnerabilities.
Why It Matters
This development is significant because dnsmasq is embedded in many network environments, from small office routers to large enterprise networks. Exploitation of these vulnerabilities could enable remote code execution or denial-of-service attacks, posing a major security risk. The disclosure underscores the importance of timely patching, especially given the widespread deployment of dnsmasq and the potential for malicious actors to exploit these flaws.
Security Patch, 2 Pcs Reflective Security Hook and Loop Patch for Vest Printed Letters Embroidery Patches for Officer Guard Custom Uniforms Vest, Jacket, Carrier, Bag, Hat (Black, 1 Small and 1 Large)
【Package Content】The package contains two security patches for vest, one small (5.5 x 2.5 inches) and one large…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
dnsmasq is a widely used DNS and DHCP server, often integrated into consumer routers, embedded devices, and enterprise networks. Over recent weeks, security researchers and the community have reported numerous bugs, some of which have been actively exploited or could be exploited in the wild. The vulnerabilities disclosed today are described as long-standing, indicating they have existed for some time but are only now being publicly addressed. The disclosure follows a pattern of increased AI-generated bug reports and a shift towards more transparent security practices in open-source projects.
“The CVEs are serious and affect most recent versions of dnsmasq. Patches are available now, and the upcoming 2.93 release will incorporate fixes for these vulnerabilities.”
— Simon Kelley
“The disclosed CVEs represent long-standing security issues in dnsmasq that require immediate attention from affected users and vendors.”
— CERT Coordination Center
NetAlly CyberScope Air Wi-Fi Edge Network Vulnerability Scanner (Wireless Only Version). Validate Edge Infrastructure Hardening, Hunt Down Rogue Devices, Investigate Suspect RF Interference
Portable, handheld form factor – Take it anywhere for on-site security testing. This field-ready tool gives you visibility…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
While patches and updates are in progress, it remains unclear whether all vendors will release timely updates or if some users may remain vulnerable. Details about the specific nature of each CVE and potential exploit scenarios are still emerging. Additionally, the full impact and whether exploits are actively being used in the wild are not yet confirmed.
TwoWin Router Tool, 110V 800W Compact Wood Router Tool for Woodworking, Electric Hand Trimmer 1/4" Collets Palm Wood Router Tools Laminate Trimmer + Tungsten Carbide Router Bits 15-Piece Set
【Powerful Design】 The handheld router with input power 800W, 30000RPM speed, router tool motor delivers abundant power for…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Vendors are expected to release official patches shortly, with the upcoming dnsmasq 2.93 stable release incorporating the fixes. Users and administrators should monitor vendor advisories and apply updates immediately once available. Further security assessments and potential exploit analyses are anticipated as the patches are deployed.
FortiGate-60F Network Security Appliance Plus 1 Year FortiGuard Unified Threat Protection (UTP) and FortiCare Premium (FG-60F-BDL-950-12)
HARDWARE PLUS SECURITY SERVICES: FortiGate-60F Firewall Appliance bundled with 1 year of FortiCare Premium and FortiGuard Unified Threat…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What are the main risks associated with these dnsmasq vulnerabilities?
The vulnerabilities could allow remote attackers to execute arbitrary code or cause denial-of-service conditions, potentially compromising affected networks.
Are all versions of dnsmasq affected?
No, the vulnerabilities primarily affect most recent and actively maintained versions, with older or highly customized versions possibly unaffected. Details are available in the official CVE disclosures.
When will patches be available?
Vendors are expected to release patches soon, with the dnsmasq 2.92rel2 version already available and the 2.93 release candidate in testing. Users should stay alert for updates from their vendors.
Should I immediately disable dnsmasq until patches are released?
If you are using affected versions, it is advisable to monitor vendor advisories and consider disabling dnsmasq or applying interim mitigations until official patches are available.
