All errata/sisyphus/ALT-PU-2026-7666-1
ALT-PU-2026-7666-1

Package update dnsmasq in branch sisyphus

Version2.92-alt2
Published2026-05-13
Max severityHIGH
Severity:

Closed issues (6)

CVE-2026-2291
HIGH7.3

dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.

Published: 2026-05-11Modified: 2026-06-17
CVSS 3.xHIGH 7.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2026-4893
MEDIUM5.3

An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information.

Published: 2026-05-11Modified: 2026-06-17
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2026-5172
HIGH7.3

A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end.

Published: 2026-05-11Modified: 2026-06-30
CVSS 3.xHIGH 7.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L