Critical dnsmasq Vulnerabilities Patched in Pi-hole Update

Severity: High (Score: 72.0)

Sources: github.com, nvd.nist.gov, Heise.De

Summary

On May 12, 2026, the Pi-hole project released FTL version 6.6.2, addressing multiple security vulnerabilities in dnsmasq versions 2.92 and 2.93. The vulnerabilities include buffer overflows and denial-of-service issues, identified as CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172, all published on May 11, 2026. Affected systems include various Linux distributions like Arch Linux, Red Hat, and Ubuntu. Attackers could exploit these vulnerabilities to execute arbitrary code or cause service disruptions. Users are advised to upgrade to the latest version to mitigate risks. The vulnerabilities were highlighted by CERT.org, prompting immediate action from developers. Previous vulnerabilities were also patched in late April 2026, indicating ongoing security concerns for Pi-hole users. Key Points: • Pi-hole FTL 6.6.2 addresses critical dnsmasq vulnerabilities affecting multiple Linux distributions. • Six CVEs were disclosed, including buffer overflows and denial-of-service issues. • Users are urged to upgrade to the latest version to prevent potential exploitation.

Key Entities

• DDoS (attack_type)
• Denial of Service (attack_type)
• Zero-day Exploit (attack_type)
• CVE-2026-2291 (cve)
• CVE-2026-41489 (cve)
• CVE-2026-4890 (cve)
• CVE-2026-4891 (cve)
• CVE-2026-4892 (cve)
• Cwe-122 - Heap-based Buffer Overflow (cwe)
• Cwe-125 - Out-of-bounds Read (cwe)
• CWE-269 - Improper Privilege Management (cwe)
• cert.org (domain)
• T1078.003 - Local Accounts (mitre_attack)
• Arch Linux (platform)
• NixOS (platform)
• Pi-hole (platform)
• SUSE Linux (platform)
• Wind River (platform)
• DNSmasq (tool)
• Raspberry Pi (tool)
• SSH (tool)
• Red Hat (company)
• Ubuntu (company)