-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4625-1 [email protected]
https://www.debian.org/lts/security/ Arnaud Rebillout
June 10, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : dnsmasq
Version : 2.85-1+deb11u2
CVE ID : CVE-2026-2291 CVE-2026-4890 CVE-2026-4891 CVE-2026-4892
CVE-2026-4893
Several vulnerabilities have been discovered in dnsmasq, a caching DNS
proxy and DHCP/TFTP server.
CVE-2026-2291
dnsmasqs extract_name() function can be abused to cause a heap buffer
overflow, allowing an attacker to inject false DNS cache entries,
which could result in DNS lookups to redirect to an
attacker-controlled IP address, or to cause a DoS.
CVE-2026-4890
A Denial of Service (DoS) vulnerability in the DNSSEC validation of
dnsmasq allows remote attackers to cause a denial of service via a
crafted DNS packet.
CVE-2026-4891
A heap-based out-of-bounds read vulnerability in the DNSSEC validation
of dnsmasq allows remote attackers to cause a denial of service via a
crafted DNS packet.
CVE-2026-4892
A heap-based out-of-bounds write vulnerability in the DHCPv6
implementation of dnsmasq allows local attackers to execute arbitrary
code with root privileges via a crafted DHCPv6 packet.
CVE-2026-4893
An information disclosure vulnerability in dnsmasq allows remote
attackers to bypass source checks via a crafted DNS packet with RFC
7871 client subnet information.
For Debian 11 bullseye, these problems have been fixed in version
2.85-1+deb11u2.
We recommend that you upgrade your dnsmasq packages.
For the detailed security status of dnsmasq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dnsmasq
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0Kl7ndbut+9n4bYs5yXoeRRgAhYFAmopR2EACgkQ5yXoeRRg
AhZuLhAAjcOprGiq/3OslvFg1XutAxBKX0slt10U251oG0YtqBDjPuZ6stAcSrtE
vW9FDBfvmYiG7xu2t2+GfJMrWDi/loEUUDtdZrKMrO2ZeSccU8yZ6e5n45Z5UUyy
fQ5Bi7K1jQCofuQZApsGj8U0crI8hBM9QZ4dmYuwu9dfaPhmqXdjMpDZ7wm+98z1
0JZkx5y2SkW0mfIVCdpI6zmdHd7PXGQy3IcBtoBUodh25Dp0++UO0ogW+QPwHvvi
myNoECBfvPwyOZBzcE+MXHMg5YfD8k4K1Ndop4OmBreGkdA/es7uXiPz6zZwdl+m
Gg6EBY5+4jQNRm1STTb9pozZgYl/Aygorj7vIHj9Ed3Iz9jTGLpb7qtF968fOo1T
i4+pULH8i0Ng6HZxzYCeoDkX4joyRMhzGyHFSWv4mCHgTQyPeL4eo26CgRUzmUB9
gS4luhabz9A3LGJT6Vf3cPGsz1f1AXChBYfeMknBV27LdpPugXrOSKNykHunL8+c
YiqkBJqc5nElJEdTVyX/kRPc3pTBQ0+2g5NDZxYIjw6kSvz7JksMU1sMehQrr7ML
G6NJmscjIhBDSlXdW53S/ow2mRqDf3dc/QeOuehmAvLNPz/EV2iQvKFZRYvyPE3d
oOO6E2FVXqNZNrgT9JFawHP9mE3G82tMYEJY/UvnH2U7fY2Llzs=
=cGJy
-----END PGP SIGNATURE-----
