CERT is releasing six CVEs for serious security vulnerabilities in dnsmasq

CERT has publicly disclosed six security vulnerabilities in dnsmasq, a widely used network service, affecting nearly all recent versions. The vulnerabilities are considered serious and have been pre-disclosed to vendors to enable prompt patching, highlighting the urgency for affected organizations to update their systems.

On May 11, 2026, CERT released six Common Vulnerabilities and Exposures (CVEs) related to dnsmasq, a popular DNS and DHCP server used in many networks worldwide. The vulnerabilities are described as long-standing bugs that impact most non-ancient versions of dnsmasq, including the current stable release 2.92. The CVEs were pre-disclosed to vendors, allowing them to prepare patches and updates for their products.

Simon Kelley, the maintainer of dnsmasq, confirmed that patches have been integrated into the latest 2.92rel2 release, which is now available for download. He also indicated that the development team is working on a new release, dnsmasq 2.93, which will incorporate these fixes and potentially more comprehensive re-writes to address root causes. Kelley emphasized the large volume of AI-generated bug reports and the importance of timely releases to mitigate ongoing security risks.

Why It Matters

This disclosure is significant because dnsmasq is embedded in many network infrastructures, including enterprise, service provider, and consumer environments. The vulnerabilities could potentially allow attackers to compromise DNS or DHCP services, leading to data breaches, service disruptions, or network manipulation. Prompt patching is critical to prevent exploitation, especially as threat actors may leverage these bugs for malicious purposes.

Background

dnsmasq is a lightweight, widely deployed service that provides DNS and DHCP functions. Over recent months, security researchers and the community have identified multiple vulnerabilities, prompting ongoing efforts to improve its security. The current disclosure follows a pattern of long-standing bugs coming to light, with the latest being disclosed by CERT today. Kelley’s update indicates a focus on fixing these issues in upcoming releases, amid a surge in AI-generated bug reports that complicate the security landscape.

“The CVEs are long-standing bugs affecting nearly all recent dnsmasq versions. Patches are now available, and a new release is in the works.”

— Simon Kelley

“The vulnerabilities pose a serious risk to networks relying on dnsmasq, and timely patching is essential to mitigate potential exploits.”

— CERT

What Remains Unclear

Details about the specific methods of exploitation and the full scope of impact are still emerging. It is also unclear how quickly all vendors will release updated packages, and whether some systems may remain vulnerable for a period of time.

What’s Next

Vendors are expected to release patched versions of dnsmasq shortly, with the upcoming dnsmasq 2.93 release expected to incorporate these security fixes. Organizations should prioritize updating their systems promptly. Further technical details and patches are available on Kelley’s website, and testing of the new release is ongoing.

Key Questions

What are the specific vulnerabilities in dnsmasq?

The CVEs describe long-standing bugs affecting DNS and DHCP functionalities, with potential for remote code execution or service disruption. Details are available in the official disclosures and patches.

Are all versions of dnsmasq affected?

Most recent non-ancient versions are impacted, including the current stable release 2.92. Older, deprecated versions are less likely to be vulnerable.

How should organizations respond to this disclosure?

Organizations should update to the latest patched versions of dnsmasq as soon as they are available, and monitor for further advisories from vendors and security authorities.

Will there be a new dnsmasq release soon?

Yes, Kelley indicated that dnsmasq 2.93 is in development and aims for a release shortly, which will include these security patches.