{"uuid": "bb20f34e-4314-42f2-8e6b-cb2c917339bc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "[Dnsmasq-discuss] Security - IMPORTANT - May 2026", "description": "Today, 11th May 2026 CERT is releasing a set of six CVEs for serious \nsecurity vulnerabilities in dnsmasq. These are all long-standing bugs \nwhich apply to pretty much all non-ancient versions. The CVE has been \npre-disclosed to vendors, so hopefully they will be releasing patched \nversions of their dnsmasq packages in a timely manner.\n\nDetails and patches are available on the website at\n\nhttps://thekelleys.org.uk/dnsmasq/CVE/\n\nand I have made \"2.92rel2\" release of the current 2.92 dnsmasq stable \nrelease which is downloadable from the usual place and has had these \npatches applied.\n\nAt the same time, the commits which fix these bugs in the development \ntree will be uploaded. Some of these use the same patches as the \nbackports, but some are more comprehensive re-writes to tackle root-causes.\n\nThere has been something of a revolution in AI-based security research, \nand I've spent a lot of time over the last couple of months dealing with \nbug reports, weeding duplicates (so many duplicates!) and triaging bugs \ninto those which need vendor pre-disclosure and those which it's better \nto make public and fix immediately. Those judgements have been \nnecessarily subjective, but given the number of times \"good guys\" have \nfound these bugs, there's no doubt that \"bad guys\" have been able to do \nthe same, so long embargoes seem kind of pointless. There's also the \nproblem that the amount of time and effort, for all actors, needed to \nco-ordinate an embargo and provide backports is huge. I think the \npriority for most bugs is to fix them going forward, and have new \ndnsmasq releases as bug-free as possible. To this end, you may have \nnoticed that there have been a lot of security-fix commits to the git \nrepo in the weeks prior to this announcement.\n\nI will shortly tag dnsmasq-2.93rc1 and the aim is to get a stable 2.93 \nrelease done ASAP. Testing of release candidate by members here is \nimportant and I'd like to encourage anyone who can to do that as soon as \nthey can. With luck, 2.93 could be out in a week or so.\n\nThe tsunami of AI-generated bug reports shows no signs of stopping, so \nit is likely that this process will have to be repeated again soon. \nThere's a tension between getting as much as possible of the ongoing bug \nstream fixed in 2.93 and it's timely release. I plan to prioritise \ntimeliness, and keep working after that as necessary.", "creation_timestamp": "2026-05-13T12:31:36.906257+00:00", "timestamp": "2026-05-13T12:31:36.906257+00:00", "related_vulnerabilities": ["CVE-2026-4892", "CVE-2026-2291", "CVE-2026-4891", "CVE-2026-5172", "CVE-2026-4890", "CVE-2026-4893"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}