## https://sploitus.com/exploit?id=274DC2E1-93D6-5CED-8A97-53B6DC183289
# dnsmasq 2.92 โ Proof of Concepts
Self-contained reproduction harnesses for the high-severity vulnerabilities
disclosed by [xchglabs](https://xchglabs.com) in dnsmasq 2.92. All bugs are
fixed in upstream **2.92rel2**. Coordinated disclosure ran through
[VU#471747](https://kb.cert.org/vuls/id/471747); the full writeup lives at
[xchglabs.com/blog/dnsmasq-five-cves.html](https://xchglabs.com/blog/dnsmasq-five-cves.html).
| CVE | Severity | Class | Reach | PoC |
|---|---|---|---|---|
| [CVE-2026-2291](cve-2026-2291/) | Critical | Heap buffer overflow in DNS cache insertion | Pre-auth, remote | Working, ASAN-confirmed |
| [CVE-2026-4892](cve-2026-4892/) | High | Heap buffer overflow in DHCPv6 root helper | Pre-auth, LAN | Working, ASAN-confirmed |
The remaining CVEs (4890 NSEC/NSEC3 infinite loop, 4891 RRSIG length
underflow, 4893 ECS validation bypass) are described in the
[blog post](https://xchglabs.com/blog/dnsmasq-five-cves.html). They are
reachable but require a non-trivial DNSSEC chain or `--add-subnet`
operator configuration to drive end-to-end; no PoC harnesses are shipped
here. Open an issue if you want one.
## Requirements
- Linux host (tested on Ubuntu 24.04)
- `gcc`, `make`, `python3`, `curl`, `tar`, `xz-utils`
- For CVE-2026-2291: `dig` (`apt install bind9-dnsutils`)
- For CVE-2026-4892: `sudo`, plus the ability to add an IPv6 address to `lo`
Each harness builds a local copy of dnsmasq 2.92 with AddressSanitizer
enabled. The Makefile fetches the upstream tarball from
`https://thekelleys.org.uk/` on first run and verifies its SHA-256
(`4bf50c2c1018f9fbc26037df51b90ecea0cb73d46162846763b92df0d6c3a458`).
Nothing is installed system-wide; everything runs out of the per-CVE
directory.
## CVE-2026-2291 โ pre-auth remote heap buffer overflow
```sh
cd cve-2026-2291
make build # download + compile dnsmasq 2.92 with ASAN (no root required)
make run # launch evil_ns + dnsmasq on loopback, fire one dig query
```
A 2032-byte attacker-controlled string is `strcpy()`'d into a 1025-byte
`union bigname.name` slot during `cache_insert()`. The PoC is a 50-line
authoritative nameserver that returns a CNAME+A pair crafted to defeat
the parser's `MAXDNAME` accounting (which counts raw input bytes while
the parser doubles three byte values into the output). Trigger is a
single DNS request; no DNSSEC, no authentication.
Expected output: ASAN `heap-buffer-overflow WRITE of size 2032` with a
call stack of `strcpy -> really_insert -> cache_insert ->
extract_addresses`.
See [cve-2026-2291/README.md](cve-2026-2291/README.md) for full details.
## CVE-2026-4892 โ DHCPv6 CLID heap overflow in root helper
```sh
cd cve-2026-4892
make build
sudo make run # binds UDP/547, adds fd00:dead:beef::1 to lo
sudo make teardown-net # remove the ULA when finished
```
A DHCPv6 Solicit/Request exchange carrying a 4 KB Client Identifier
option overflows `daemon->packet` (โ2267 bytes) inside the dnsmasq
helper process. Each input CLID byte writes 3 output bytes; the loop is
unbounded. The helper retains root after the main process drops privs,
so this is a local-root primitive on any host running dnsmasq with
`--dhcp-script` and DHCPv6 enabled.
Expected output: ASAN `heap-buffer-overflow WRITE` inside `helper.c`
after dnsmasq commits the lease and hands it to the helper.
See [cve-2026-4892/README.md](cve-2026-4892/README.md) for full details.
## Layout
```
.
โโโ README.md
โโโ cve-2026-2291/ # pre-auth remote heap overflow (DNS cache)
โ โโโ README.md
โ โโโ Makefile
โ โโโ evil_ns.py
โ โโโ dnsmasq.conf
โโโ cve-2026-4892/ # local-root heap overflow (DHCPv6 helper)
โโโ README.md
โโโ Makefile
โโโ dhcpv6_client.py
โโโ dhcp-script.sh
โโโ dnsmasq.conf
```
## Responsible use
These reproducers target a specific patched-upstream version. Run them
against your own infrastructure for defensive testing or local research.
Do not point them at hosts you do not own.
## Credits
Research by [xchglabs](https://xchglabs.com). Thanks to Simon Kelley for
the prompt upstream fix, and to Andrew Fasano of the
[CAISI](https://www.nist.gov/caisi) team at NIST for disclosure
coordination.