CVE-2026-5172 Overview
CVE-2026-5172 is a buffer overflow vulnerability in the extract_addresses() function of dnsmasq, a widely deployed lightweight DNS forwarder and DHCP server. The flaw allows a remote attacker to trigger a heap out-of-bounds read by sending a malformed DNS response. The extract_name() helper advances a pointer past the end of the DNS record, causing the process to read memory outside the allocated buffer and crash. The issue affects downstream projects that embed or rely on dnsmasq, including Pi-hole FTL and various Linux distribution packages.
Critical Impact
A network-reachable attacker can crash dnsmasq with a single malformed DNS response, disrupting DNS resolution and DHCP services for all downstream clients.
Affected Products
- dnsmasq (upstream releases prior to the fix referenced in the dnsmasq-discuss mailing list)
- Pi-hole FTL versions prior to v6.6.2
- NixOS packages updated via pull requests #519082 and #519093
Discovery Timeline
- 2026-05-11 - CVE-2026-5172 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-5172
Vulnerability Analysis
The vulnerability resides in dnsmasq's response-parsing logic. When dnsmasq receives a DNS response from an upstream resolver, it calls extract_addresses() to iterate over answer records and pull out A and AAAA records for caching. For each record, the function invokes extract_name() to decompress the DNS name encoded in the answer section.
extract_name() walks the compressed name pointer-by-pointer but does not bound its progress against the end offset of the current resource record. A malformed record can cause the pointer to advance past the record boundary and into adjacent heap memory. The subsequent read produces an out-of-bounds read that dereferences memory outside the response buffer, terminating the dnsmasq process.
Because dnsmasq commonly runs as a system daemon servicing DNS and DHCP for entire networks, a crash interrupts name resolution and lease handling for every downstream client until the service restarts.
Root Cause
The root cause is missing length validation inside extract_name() when it is invoked from extract_addresses(). The function trusts the compressed name structure rather than enforcing that pointer advancement stays within the record's declared length. This is a classic boundary condition error leading to a heap out-of-bounds read.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker who controls or can spoof an upstream DNS response — for example, an authoritative server that dnsmasq queries, or an on-path attacker injecting forged responses — can deliver a crafted answer that triggers the read. Open-resolver deployments expand the attack surface to the public internet.
The vulnerability is described in prose only; no public proof-of-concept exploit is referenced in the advisory. See the DNSMasq Discuss Mailing List Post and CERT Vulnerability Advisory #471747 for technical details.
Detection Methods for CVE-2026-5172
Indicators of Compromise
- Repeated unexpected restarts or crash loops of the dnsmasq or pihole-FTL daemon
- Segmentation fault entries in journalctl -u dnsmasq or /var/log/syslog correlated with inbound DNS responses
- Core dumps with stack frames in extract_name and extract_addresses
Detection Strategies
- Monitor process telemetry for abnormal termination signals (SIGSEGV) targeting DNS resolver daemons.
- Inspect upstream DNS response traffic for malformed answer sections, unusual compression pointers, or records whose declared length does not match parsed content.
- Correlate daemon restarts with the source IPs of preceding upstream DNS responses to identify the trigger.
Monitoring Recommendations
- Alert on dnsmasq or Pi-hole FTL service restart counts exceeding a baseline within a short window.
- Forward DNS resolver logs and crash telemetry to a centralized SIEM for correlation across hosts.
- Track DNS resolution failure rates on client subnets as an early signal of resolver instability.
How to Mitigate CVE-2026-5172
Immediate Actions Required
- Upgrade Pi-hole FTL to v6.6.2 or later, which includes the upstream fix.
- Apply the patched dnsmasq package from your Linux distribution as soon as it becomes available; NixOS users can track pull requests #519082 and #519093.
- Restrict dnsmasq's upstream resolvers to trusted servers and avoid exposing the resolver to untrusted networks.
Patch Information
Upstream patches are tracked on the DNSMasq CVE Resource page and discussed in the DNSMasq Discuss Mailing List Post. Pi-hole shipped the fix in Pi-hole FTL Release v6.6.2. Distribution packaging updates are tracked in GitHub Pull Request #519082 and GitHub Pull Request #519093.
Workarounds
- Configure dnsmasq to forward only to trusted, validating upstream resolvers that drop malformed responses.
- Bind dnsmasq to internal interfaces using interface= and bind-interfaces to prevent external query exposure.
- Deploy a service supervisor such as systemd with automatic restart to reduce outage duration until patches are applied.
# Configuration example: restrict dnsmasq to internal interface and trusted upstream
listen-address=127.0.0.1,192.168.1.1
interface=eth0
bind-interfaces
no-resolv
server=1.1.1.1
server=9.9.9.9
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
