CVE-2026-4892 Overview
CVE-2026-4892 is a heap-based out-of-bounds write vulnerability in the Dynamic Host Configuration Protocol version 6 (DHCPv6) implementation of dnsmasq. A local attacker can send a crafted DHCPv6 packet to trigger memory corruption in the daemon's heap. Because dnsmasq typically runs with elevated privileges to bind privileged ports and manage network leases, successful exploitation enables arbitrary code execution with root privileges. The vulnerability affects dnsmasq, a widely deployed lightweight DNS forwarder and DHCP server used in routers, embedded devices, Pi-hole, and Linux distributions. Maintainers and downstream packagers have published fixes, including Pi-hole FTL v6.6.2 and patches in the NixOS package tree. CERT issued vulnerability note VU#471747 to coordinate disclosure across affected vendors.
Critical Impact
Local attackers can achieve arbitrary code execution as root by sending a crafted DHCPv6 packet to a vulnerable dnsmasq instance, compromising the host that runs DNS and DHCP services.
Affected Products
- dnsmasq (DHCPv6-enabled builds) — see dnsmasq CVE Information
- Pi-hole FTL prior to v6.6.2 — fixed in Pi-hole FTL Release v6.6.2
- Downstream Linux distributions packaging dnsmasq — tracked in NixOS Pull Request #519082 and NixOS Pull Request #519093
Discovery Timeline
- 2026-05-11 - CVE-2026-4892 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-4892
Vulnerability Analysis
The flaw resides in the DHCPv6 packet parsing routines within dnsmasq. When the daemon processes an attacker-controlled DHCPv6 message, it writes data past the end of a heap-allocated buffer. Heap-based out-of-bounds writes corrupt adjacent allocator metadata or neighboring objects, which an attacker can use to redirect control flow. Because dnsmasq handles raw DHCPv6 frames on the local network interface and retains root privileges to manage leases, the corruption occurs in a privileged process address space. Exploitation leads to loss of confidentiality, integrity, and availability of the host, with the impact contained to the affected service boundary.
Root Cause
The root cause is missing or insufficient bounds checking on length fields or option data inside a DHCPv6 packet before copying that data into a heap buffer. The parser trusts attacker-supplied size information, allowing writes that exceed the destination allocation. This pattern aligns with [CWE-787: Out-of-bounds Write].
Attack Vector
The attack vector is local from the perspective of the CVSS scoring, meaning the adversary needs to deliver the malicious DHCPv6 packet onto the local link where dnsmasq listens. No authentication or user interaction is required. DHCPv6 traffic is link-local by design, so any unauthenticated host on the same network segment as the vulnerable daemon can deliver the payload. Crafted Solicit, Request, or Relay-Forward messages with malformed options are the most likely trigger paths. For technical details, see the dnsmasq Discussion Mailing List thread and the CERT Vulnerability Report #471747.
Detection Methods for CVE-2026-4892
Indicators of Compromise
- Unexpected crashes, segmentation faults, or restarts of the dnsmasq process recorded in journalctl or /var/log/syslog.
- New child processes spawned by dnsmasq (for example, a shell or network utility) that have no legitimate role in DNS or DHCP operations.
- Outbound network connections originating from the dnsmasq process to attacker-controlled infrastructure.
Detection Strategies
- Monitor the integrity of the dnsmasq binary and configuration files against a known-good baseline.
- Inspect DHCPv6 traffic for malformed option lengths or oversized fields using packet capture tools such as tcpdump or tshark.
- Alert on any privilege-retained child process created from dnsmasq, since the daemon should not normally spawn interactive utilities.
Monitoring Recommendations
- Forward host logs and process telemetry from devices running dnsmasq to a centralized analytics platform for correlation.
- Track package versions of dnsmasq and Pi-hole FTL across the fleet to verify patch coverage.
- Enable auditd rules for execve events under the dnsmasq process tree to catch post-exploitation activity.
How to Mitigate CVE-2026-4892
Immediate Actions Required
- Upgrade dnsmasq to the fixed version published by the upstream maintainer at thekelleys.org.uk.
- Upgrade Pi-hole FTL deployments to v6.6.2 or later.
- Apply distribution updates as they become available, including the NixOS changes tracked in PR #519082 and PR #519093.
Patch Information
Upstream dnsmasq patches are referenced from the maintainer's CVE tracking page. Pi-hole has shipped a fixed release in FTL v6.6.2. Coordinated vendor advisories are aggregated by CERT in VU#471747. Verify that any embedded device or router firmware vendor has incorporated the upstream fix before considering the issue resolved.
Workarounds
- Disable DHCPv6 service in dnsmasq if IPv6 address assignment is not required by setting dhcp-range to IPv4-only and removing IPv6 ranges.
- Restrict the interfaces on which dnsmasq listens using the interface= or bind-interfaces directives to trusted network segments only.
- Apply network segmentation and link-layer filtering to block untrusted hosts from sending DHCPv6 traffic to vulnerable servers.
# Configuration example: disable DHCPv6 in /etc/dnsmasq.conf
# Remove or comment any IPv6 dhcp-range entries, for example:
# dhcp-range=::1,::ff,constructor:eth0,ra-names,12h
# Restrict dnsmasq to a trusted management interface
interface=eth0
bind-interfaces
# Reload the service after changes
sudo systemctl restart dnsmasq
sudo systemctl status dnsmasq
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
