CVE-2026-4892

Dnsmasq · Dnsmasq

A heap-based out-of-bounds write vulnerability in the Dnsmasq DHCPv6 implementation allows local attackers to achieve root-level code execution via a crafted packet.

Executive summary

A heap-based buffer overflow in Dnsmasq's DHCPv6 implementation permits local attackers to execute arbitrary code with root privileges.

Vulnerability

This is a heap-based buffer overflow (CWE-122) triggered by a crafted DHCPv6 packet. The vulnerability allows an attacker to overwrite heap memory, which can lead to arbitrary code execution with the privileges of the Dnsmasq process, typically root.

Business impact

The CVSS score of 8.4 (High) reflects the critical nature of achieving root-level code execution. If exploited, an attacker could achieve full system compromise, bypass security controls, and gain persistent access to the host system where Dnsmasq is deployed.

Remediation

Immediate Action: Update Dnsmasq to version 2.92rel2 or later across all affected infrastructure.

Proactive Monitoring: Review system logs for crashes or abnormal behavior in the Dnsmasq process, which may indicate attempted exploitation.

Compensating Controls: Use system-level sandboxing (e.g., AppArmor or SELinux) to restrict the privileges of the Dnsmasq process, thereby limiting the impact of a potential code execution exploit.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Organizations should prioritize upgrading their Dnsmasq deployments to the latest version to prevent potential root-level escalation. Given that Dnsmasq is a foundational component for network services, testing and deploying this patch should be treated with high urgency.