CERT is releasing six CVEs for serious security vulnerabilities in dnsmasq

CERT has issued six security CVEs for dnsmasq, revealing long-standing vulnerabilities affecting most recent versions. These flaws pose significant security risks, prompting vendors and developers to prepare patches and updates.

The vulnerabilities were disclosed by CERT on May 11, 2026, and are described as serious, long-standing bugs impacting nearly all current non-legacy dnsmasq releases. The CVEs have been pre-disclosed to vendors, who are expected to release patched versions shortly. Simon Kelley, a dnsmasq developer, confirmed that a new ‘2.92rel2’ release has been made available, incorporating patches for these vulnerabilities, and that the development branch will soon include fixes in the upcoming ‘2.93’ release candidate. Kelley noted that some patches address root causes with comprehensive rewrites, while others are backports of existing fixes. The vulnerabilities are believed to have been exploited or at least discovered through AI-driven security research, emphasizing the urgency of the patches.

Why It Matters

This development matters because dnsmasq is widely used in network infrastructure, including routers, small business networks, and embedded systems. Critical vulnerabilities can lead to remote code execution, denial of service, or data breaches, making timely patching essential to prevent exploitation.

Background

dnsmasq is a popular DNS and DHCP server used globally. Prior to this disclosure, multiple security issues had been identified, but these six CVEs represent long-standing bugs that have persisted across versions. The disclosure follows a recent surge in AI-generated bug reports, which have accelerated bug discovery and disclosure processes. Historically, security flaws in dnsmasq have been patched in incremental updates, but the current vulnerabilities are described as severe enough to warrant immediate attention.

“These are long-standing bugs which apply to pretty much all non-ancient versions. The CVE has been pre-disclosed to vendors, so hopefully they will be releasing patched versions in a timely manner.”

— Simon Kelley

What Remains Unclear

It is not yet clear whether any systems have been actively exploited using these vulnerabilities or the full scope of their impact. Details about the specific nature of the bugs and potential exploitation vectors are still emerging.

What’s Next

Vendors are expected to release official patches for affected versions shortly. Users and administrators should monitor updates from their vendors and apply patches promptly. The upcoming dnsmasq 2.93 release is anticipated to include comprehensive fixes for these CVEs.

Key Questions

What are the specific vulnerabilities in dnsmasq?

The CVEs address multiple long-standing bugs affecting dnsmasq’s DNS and DHCP functionalities, potentially enabling remote code execution or denial of service. Exact technical details are available in the official CVE disclosures.

Are all versions of dnsmasq affected?

The vulnerabilities apply to most recent non-legacy versions, including the current stable release 2.92 and development branches. Older or heavily modified versions may be unaffected.

When will patches be available?

Vendors are expected to release patched versions soon, with the dnsmasq 2.92rel2 already available and the upcoming 2.93 release including fixes. Users should stay alert for official updates.

How can I protect my systems in the meantime?

Administrators should monitor vendor advisories, disable dnsmasq if possible, or restrict network access until patches are applied. Implementing network segmentation can also limit potential damage.