Share
## https://sploitus.com/exploit?id=274DC2E1-93D6-5CED-8A97-53B6DC183289
# dnsmasq 2.92 โ€” Proof of Concepts

Self-contained reproduction harnesses for the high-severity vulnerabilities
disclosed by [xchglabs](https://xchglabs.com) in dnsmasq 2.92. All bugs are
fixed in upstream **2.92rel2**. Coordinated disclosure ran through
[VU#471747](https://kb.cert.org/vuls/id/471747); the full writeup lives at
[xchglabs.com/blog/dnsmasq-five-cves.html](https://xchglabs.com/blog/dnsmasq-five-cves.html).

| CVE | Severity | Class | Reach | PoC |
|---|---|---|---|---|
| [CVE-2026-2291](cve-2026-2291/) | Critical | Heap buffer overflow in DNS cache insertion | Pre-auth, remote | Working, ASAN-confirmed |
| [CVE-2026-4892](cve-2026-4892/) | High | Heap buffer overflow in DHCPv6 root helper | Pre-auth, LAN | Working, ASAN-confirmed |

The remaining CVEs (4890 NSEC/NSEC3 infinite loop, 4891 RRSIG length
underflow, 4893 ECS validation bypass) are described in the
[blog post](https://xchglabs.com/blog/dnsmasq-five-cves.html). They are
reachable but require a non-trivial DNSSEC chain or `--add-subnet`
operator configuration to drive end-to-end; no PoC harnesses are shipped
here. Open an issue if you want one.

## Requirements

- Linux host (tested on Ubuntu 24.04)
- `gcc`, `make`, `python3`, `curl`, `tar`, `xz-utils`
- For CVE-2026-2291: `dig` (`apt install bind9-dnsutils`)
- For CVE-2026-4892: `sudo`, plus the ability to add an IPv6 address to `lo`

Each harness builds a local copy of dnsmasq 2.92 with AddressSanitizer
enabled. The Makefile fetches the upstream tarball from
`https://thekelleys.org.uk/` on first run and verifies its SHA-256
(`4bf50c2c1018f9fbc26037df51b90ecea0cb73d46162846763b92df0d6c3a458`).
Nothing is installed system-wide; everything runs out of the per-CVE
directory.

## CVE-2026-2291 โ€” pre-auth remote heap buffer overflow

```sh
cd cve-2026-2291
make build     # download + compile dnsmasq 2.92 with ASAN (no root required)
make run       # launch evil_ns + dnsmasq on loopback, fire one dig query
```

A 2032-byte attacker-controlled string is `strcpy()`'d into a 1025-byte
`union bigname.name` slot during `cache_insert()`. The PoC is a 50-line
authoritative nameserver that returns a CNAME+A pair crafted to defeat
the parser's `MAXDNAME` accounting (which counts raw input bytes while
the parser doubles three byte values into the output). Trigger is a
single DNS request; no DNSSEC, no authentication.

Expected output: ASAN `heap-buffer-overflow WRITE of size 2032` with a
call stack of `strcpy -> really_insert -> cache_insert ->
extract_addresses`.

See [cve-2026-2291/README.md](cve-2026-2291/README.md) for full details.

## CVE-2026-4892 โ€” DHCPv6 CLID heap overflow in root helper

```sh
cd cve-2026-4892
make build
sudo make run            # binds UDP/547, adds fd00:dead:beef::1 to lo
sudo make teardown-net   # remove the ULA when finished
```

A DHCPv6 Solicit/Request exchange carrying a 4 KB Client Identifier
option overflows `daemon->packet` (โ‰ˆ2267 bytes) inside the dnsmasq
helper process. Each input CLID byte writes 3 output bytes; the loop is
unbounded. The helper retains root after the main process drops privs,
so this is a local-root primitive on any host running dnsmasq with
`--dhcp-script` and DHCPv6 enabled.

Expected output: ASAN `heap-buffer-overflow WRITE` inside `helper.c`
after dnsmasq commits the lease and hands it to the helper.

See [cve-2026-4892/README.md](cve-2026-4892/README.md) for full details.

## Layout

```
.
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ cve-2026-2291/      # pre-auth remote heap overflow (DNS cache)
โ”‚   โ”œโ”€โ”€ README.md
โ”‚   โ”œโ”€โ”€ Makefile
โ”‚   โ”œโ”€โ”€ evil_ns.py
โ”‚   โ””โ”€โ”€ dnsmasq.conf
โ””โ”€โ”€ cve-2026-4892/      # local-root heap overflow (DHCPv6 helper)
    โ”œโ”€โ”€ README.md
    โ”œโ”€โ”€ Makefile
    โ”œโ”€โ”€ dhcpv6_client.py
    โ”œโ”€โ”€ dhcp-script.sh
    โ””โ”€โ”€ dnsmasq.conf
```

## Responsible use

These reproducers target a specific patched-upstream version. Run them
against your own infrastructure for defensive testing or local research.
Do not point them at hosts you do not own.

## Credits

Research by [xchglabs](https://xchglabs.com). Thanks to Simon Kelley for
the prompt upstream fix, and to Andrew Fasano of the
[CAISI](https://www.nist.gov/caisi) team at NIST for disclosure
coordination.