OESA-2026-2438
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2438
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2026-2438.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2026-2438
- Upstream
- Published
- 2026-05-22T13:22:11Z
- Modified
- 2026-05-22T13:30:24.337886643Z
- Summary
- dnsmasq security update
- Details
-
Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used for tethering on smartphones and portable hotspots, and to support virtual networking in virtualisation frameworks.
Security Fix(es):
dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.(CVE-2026-2291)
A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.(CVE-2026-4890)
A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.(CVE-2026-4891)
A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.(CVE-2026-4892)
An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information.(CVE-2026-4893)
- Database specific
{ "severity": "Critical" }- References
-
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2438
- https://nvd.nist.gov/vuln/detail/CVE-2026-2291
- https://nvd.nist.gov/vuln/detail/CVE-2026-4890
- https://nvd.nist.gov/vuln/detail/CVE-2026-4891
- https://nvd.nist.gov/vuln/detail/CVE-2026-4892
- https://nvd.nist.gov/vuln/detail/CVE-2026-4893
Affected packages
openEuler:22.03-LTS-SP4 / dnsmasq
Package
- Name
- dnsmasq
- Purl
- pkg:rpm/openEuler/dnsmasq&distro=openEuler-22.03-LTS-SP4
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.86-15.oe2203sp4
Ecosystem specific
{
"x86_64": [
"dnsmasq-2.86-15.oe2203sp4.x86_64.rpm",
"dnsmasq-debuginfo-2.86-15.oe2203sp4.x86_64.rpm",
"dnsmasq-debugsource-2.86-15.oe2203sp4.x86_64.rpm",
"dnsmasq-help-2.86-15.oe2203sp4.x86_64.rpm"
],
"src": [
"dnsmasq-2.86-15.oe2203sp4.src.rpm"
],
"aarch64": [
"dnsmasq-2.86-15.oe2203sp4.aarch64.rpm",
"dnsmasq-debuginfo-2.86-15.oe2203sp4.aarch64.rpm",
"dnsmasq-debugsource-2.86-15.oe2203sp4.aarch64.rpm",
"dnsmasq-help-2.86-15.oe2203sp4.aarch64.rpm"
]
}