Root Access & DNS Hijacking: Critical Dnsmasq Flaws Threaten Millions of Routers and Virtual Machines

A suite of vulnerabilities has been unearthed within ubiquitous networking systems, where a conventional domain query could potentially misdirect a user and a modest network service could be transformed into an adversarial foothold. The flaws reside in dnsmasq, a versatile utility that often operates inconspicuously yet governs essential functions in routers, virtual machines, and specialized distributions.

Forensic analysts identified six vulnerabilities within dnsmasq, a package that integrates a caching DNS resolver, a DHCP server, IPv6 router advertisement services, and network boot mechanisms. These lapses facilitate remote code execution with root privileges, the spoofing of IP addresses for specific domains, the exfiltration of process memory fragments, or the precipitous collapse of the service itself. The developers have remediated these issues in version 2.92rel2, with discrete patches made available for integration into existing builds.

The most critical defect, designated CVE-2026-4892, involves the processing of DHCPv6 requests. It affords a local adversary the opportunity to execute code with root authority via a meticulously crafted packet. The root cause lies in the recording of the DHCPv6 CLID into a buffer without accounting for hexadecimal representation, wherein each physical byte expands into a three-byte sequence of the form “%xx”.

CVE-2026-2291 pertains to the extract_name() function and may assist a malicious actor in injecting fraudulent records into the DNS cache. Such a scenario paves the way for redirecting a domain to a rogue IP address. This error arose from calculating buffer dimensions without considering the escaping of specific characters within the internal domain name format.

Furthermore, CVE-2026-4893 involves the handling of DNS packets containing client subnet data per RFC 7871. Due to deficient verification, the source of a response could be erroneously deemed valid, creating the conditions to manipulate the DNS response path and steer users toward an attacker-controlled resource.

The remaining vulnerabilities impact DNSSEC validation and DNS response handling. CVE-2026-4891 leads to an out-of-bounds read, potentially disclosing memory fragments in response to a malformed DNS query. CVE-2026-4890 triggers an infinite loop during DNSSEC verification, facilitating a Denial-of-Service (DoS) attack, while CVE-2026-5172, linked to the extract_addresses() function, can cause the service to terminate unexpectedly when processing malicious DNS responses.

Dnsmasq is an integral component of Android, OpenWrt, DD-WRT, and the firmware of myriad wireless routers and Linux distributions. On workstations and servers, it frequently appears alongside libvirt to provide DNS services for virtual machines or is invoked via NetworkManager. The status of these critical patches is currently being monitored by maintainers of Debian, Ubuntu, SUSE, RHEL, Gentoo, Arch, Fedora, OpenWRT, and FreeBSD.