Six new bugs hit dnsmasq, the DNS daemon in every Linux router. One gives a local attacker root.

CERT released VU#471747 on May 11, six dnsmasq vulnerabilities at once. The worst is CVE-2026-4892, a heap out-of-bounds write in the DHCPv6 handler that lets a local attacker run code as root. Simon Kelley, the project’s maintainer for 25 years, tagged dnsmasq 2.92rel2 with patches for all six the same day.

dnsmasq is the lightweight DNS forwarder and DHCP server that sits in front of half the consumer routers shipping in 2026. OpenWrt builds on it. Pi-hole builds on it. Every major Linux distro packages it. CERT’s confirmed-affected list includes Arch, NixOS, Pi-hole, Red Hat, SUSE, Ubuntu, and Wind River; 24 more vendors are still triaging. The blast radius is “any small network behind a Linux-based gateway,” and that’s a category that includes most home offices.

The six bugs

• CVE-2026-4892, local root via DHCPv6. A heap out-of-bounds write in dnsmasq’s DHCPv6 code path. A crafted DHCPv6 packet from any device on the same LAN can drop a payload into dnsmasq’s heap and pivot to root. Reported by Royce M (xchglabs) and Asim Viladi Oglu Manizada. This is the one to patch first.
• CVE-2026-2291, cache poisoning. A heap buffer overflow in extract_name() that can be exercised over the wire to inject false DNS cache entries, redirecting any client behind the resolver. Reported by four independent groups: Andrew S. Fasano, Royce M, Hugo Martinez Ray, and Xander Mackenzie via Trend Micro’s Zero Day Initiative.
• CVE-2026-4890, DNSSEC infinite loop. A crafted DNS response sends DNSSEC validation into a loop, denying resolver service. Two separate diffs ship: one for 2.92, one for 2.91 and older.
• CVE-2026-4891, DNSSEC memory disclosure. An out-of-bounds read in DNSSEC validation leaks adjacent heap data to a remote attacker.
• CVE-2026-4893, RFC 7871 source-check bypass. A malformed client-subnet option lets an attacker fake the source of a DNS query past dnsmasq’s access checks.
• CVE-2026-5172, DNS response crash. A heap out-of-bounds read in extract_addresses() crashes dnsmasq when handed a malformed response, taking down the resolver.

CERT didn’t publish CVSS scores, but the impact ladder is unambiguous: local root, remote cache poisoning, remote DoS, memory disclosure, source spoofing, remote crash. Five of the six are reachable over the network. Only the root one requires a foothold on the LAN.

What’s not in the advisory

• A vendor patch deadline. CERT’s “unknown” column is 24 vendors deep, including Debian, FreeBSD, Cisco, and Google. There’s no embargoed coordinated-disclosure schedule listed.
• An exploit-in-the-wild signal. None of the six advisories cite active exploitation. The reporters are independent security researchers, not incident responders.
• A consumer-router rollup. Most home routers don’t ship over-the-air updates for dnsmasq the day upstream patches. OpenWrt users can pull 2.92rel2 today. ASUS, Netgear, and Ubiquiti owners need to wait for their vendor.

Simon Kelley on the AI bug-report wave

Kelley’s announcement carries a line that’s worth quoting in full. “There has been something of a revolution in AI-based security research,” he wrote in the dnsmasq-discuss thread, and the rest of his post describes weeks of triaging a flood of bug reports, many of them duplicates. The credit files for the six CVEs run to nine separate reporters across six writeups; CVE-2026-2291 alone has four people sharing credit. One of them, Xander Mackenzie, is working “with TrendAI Zero Day Initiative,” which is Trend Micro’s rebranded ZDI program now feeding AI-assisted findings into the same triage queue.

Kelley’s tone reads as resigned more than excited. dnsmasq is a one-maintainer project that runs on every continent. A “revolution in AI-based security research” lands on his desk as a triage problem, and the resolution is shipping point releases on the volunteer’s clock. The patches in 2.92rel2 are the output of one person doing the integration work; the next 2.93 release candidate is in his queue for the same reason.

What this means for you

If you run dnsmasq directly on Linux servers, pull 2.92rel2 today. The DHCPv6 root path is local-only, so the immediate exposure is rogue devices on segments where dnsmasq runs as a DHCPv6 server. The DNS-side bugs are reachable from any upstream resolver dnsmasq forwards to.

If you run Pi-hole, watch the project’s release feed; the maintainer team usually folds upstream point releases within a week. Stop and reconsider any setup that exposes dnsmasq’s DNS port (53) to the internet. None of the remote bugs are wormable, but the cache-poisoning vector turns your resolver into an attack surface for every device behind it.

If you own a consumer router that runs dnsmasq under the hood, check the firmware-update path your vendor offers and budget a week. ASUS-Merlin, OpenWrt, pfSense, and the Ubiquiti UniFi gateways are the realistic upgrade lanes; everything else is on the vendor’s clock. Six CVEs in one batch is a strong reason to confirm your router is still in support before you trust the next DHCP lease.