CVE-2026-2291 Overview
CVE-2026-2291 is a heap buffer overflow vulnerability in the extract_name() function of dnsmasq, a widely deployed lightweight DNS forwarder and DHCP server. Attackers can exploit the flaw over the network without authentication or user interaction. Successful exploitation lets an attacker inject false DNS cache entries, redirecting DNS lookups to attacker-controlled IP addresses or triggering a denial-of-service condition. The vulnerability affects downstream products that embed dnsmasq, including Pi-hole FTL and various Linux distributions packaging the resolver.
Critical Impact
Remote attackers can poison the DNS cache to redirect traffic to attacker-controlled infrastructure or crash the resolver, breaking name resolution for every dependent client.
Affected Products
- dnsmasq (upstream resolver in versions prior to the fix referenced in the thekelleys.org.uk CVE index)
- Pi-hole FTL versions prior to v6.6.2
- Linux distributions packaging vulnerable dnsmasq builds, including SUSE and NixOS
Discovery Timeline
- 2026-05-11 - CVE-2026-2291 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-2291
Vulnerability Analysis
The defect resides in dnsmasq's extract_name() routine, which parses DNS names from incoming packets. Attacker-crafted DNS responses can drive the function to write beyond the bounds of its heap-allocated destination buffer. Because dnsmasq processes attacker-influenced DNS traffic by design, the unsafe write occurs during routine packet handling.
The overflow is reachable across the network with no privileges and no user interaction. Adjacent heap memory can be corrupted with attacker-chosen bytes derived from the malformed name. That corruption is sufficient to forge cache entries that dnsmasq subsequently serves to its clients, achieving DNS cache poisoning without solving traditional source-port or transaction-ID guessing problems.
Root Cause
The root cause is missing or insufficient bounds checking during name extraction. extract_name() decodes compressed DNS labels and copies them into a fixed-size buffer, but the size validation fails to account for all crafted label sequences. A malformed response containing pathological label encoding writes past the destination, corrupting heap structures the cache layer relies upon.
Attack Vector
An attacker who can deliver a DNS response to a dnsmasq instance — either as an upstream resolver answering a forwarded query, or via a spoofed response race against a legitimate authoritative server — can trigger the overflow. Internet-exposed dnsmasq listeners are at highest risk, but internal deployments are also exposed if an attacker can induce queries to malicious authoritative servers. Once the heap is corrupted, the resolver can be coerced into caching attacker-supplied records, redirecting subsequent lookups by every downstream client.
// No verified public proof-of-concept code is available for CVE-2026-2291.
// Refer to the upstream dnsmasq CVE index and CERT/CC advisory linked
// in the references for technical analysis as it becomes available.
Detection Methods for CVE-2026-2291
Indicators of Compromise
- Unexpected crashes or restarts of the dnsmasq or pihole-FTL process, particularly with heap corruption signatures in dmesg or core dumps.
- DNS responses resolving well-known domains to unfamiliar IP addresses, or sudden divergence between dnsmasq cache contents and authoritative answers.
- Inbound DNS responses containing malformed or unusually long compressed label sequences captured at the network perimeter.
Detection Strategies
- Inspect DNS response packets at network sensors for malformed name compression and oversized label chains targeting resolver hosts.
- Compare cached records on dnsmasq instances against trusted upstream resolvers to identify divergent or poisoned entries.
- Monitor process telemetry for dnsmasq and pihole-FTL for abnormal terminations, segmentation faults, or memory allocator aborts.
Monitoring Recommendations
- Forward dnsmasq query logs and process events into a centralized analytics platform and alert on resolver restarts correlated with inbound DNS traffic spikes.
- Track outbound DNS destinations from hosts whose resolver is dnsmasq, alerting on unexpected upstream servers that may indicate redirection.
- Enable host-based identification for memory corruption signals on Linux servers running dnsmasq, including ASLR-defeating crash patterns.
How to Mitigate CVE-2026-2291
Immediate Actions Required
- Upgrade dnsmasq to the fixed version listed in the DNSMasq CVE Index and rebuild any embedded distributions.
- Update Pi-hole deployments to Pi-hole FTL Release v6.6.2 or later.
- Apply distribution patches such as the SUSE CVE-2026-2291 Advisory and the NixOS updates in Nixpkgs Pull Request #519082 and Nixpkgs Pull Request #519093.
- Restrict dnsmasq's listening interfaces so the service is not reachable from untrusted networks.
Patch Information
Upstream fixes are tracked in the dnsmasq project CVE index and discussed in the DNSMasq Discussion Post. Downstream packagers including SUSE, NixOS, and Pi-hole have released coordinated updates. Coordination details are summarized in CERT Vulnerability Report #471747.
Workarounds
- Bind dnsmasq to trusted interfaces only using the interface= and bind-interfaces directives, and block inbound UDP/TCP 53 from untrusted networks at the firewall.
- Force dnsmasq to forward only to trusted upstream resolvers using server= directives, reducing exposure to attacker-controlled authoritative responses.
- Enable DNSSEC validation in dnsmasq where supported to reject forged records that fail cryptographic checks.
# Example dnsmasq hardening in /etc/dnsmasq.conf
bind-interfaces
interface=lo
interface=eth0
no-resolv
server=1.1.1.1
server=9.9.9.9
dnssec
dnssec-check-unsigned
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
