String of Dnsmasq Vulnerabilities Threatens UK Broadband Routers
A sizeable group of Linux-powered broadband ISP routers, widely used both around the world and across the United Kingdom, will need urgent firmware updates after a string of six new security vulnerabilities were recently discovered in the open-source networking tool Dnsmasq.
The chances are fairly good that, unless you’re of the computer networking ilk, then you probably won’t have heard of Dnsmasq before. But suffice to say, a lot of consumer broadband routers make use of it because the tool contains an often-vital set of useful functions, such as Domain Name System (DNS) management, DHCP controls, local hostname resolution and other things.
As a result, Dnsmasq can be found in everything from OpenWrt and DD-WRT to Linksys-based devices and lots of other router vendors. The catch is not that all consumer routers make use of it (there are various alternatives), so it can be a little tricky to know precisely which devices are vulnerable to the latest set of vulnerabilities. For example, FRITZ!Box routers seem to use their own propriety system and NOT Dnsmasq.
Advertisement
Just to further confuse matters, some vendors may have vulnerable base-level kit, but an ISP could then re-brand that around their own custom firmware, which might not harness Dnsmasq. In any case, the latest batch of security headaches to worry about can be found listed below (credits to Simon for the nudge):
The New Dnsmasq Vulnerabilities
CVE-2026-5172
A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end.CVE-2026-4893
An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information.CVE-2026-4892
A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.CVE-2026-4891
A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.CVE-2026-4890
A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.CVE-2026-2291
dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.
In terms of severity, some of the CVEs appear to be particularly nasty, with the last one on our list (CVE-2026-2291) receiving a critical score of 9+ out of 10 for its potential to be exploited in order to conduct DNS cache poisoning, denial of service and possible remote code execution in some environments. But many, if NOT all, of these CVEs require an attacker to have already gained access to your network, which limits their severity.
However, the degree to which a device may be exposed to any of these does also vary a bit depending upon the configuration of the router (e.g. what features are enabled or disabled), although we’d expect router vendors to be actively releasing patches for these vulnerabilities regardless. The latest stable release of Dnsmasq, which fixes these issues, is v2.92 (release 2) and was published on 11th May 2026.
One notable example is GL.iNet, which bases their kit off a modified variant of OpenWrt. The company was one of the first out of the gate to release firmware that mentioned fixes for security flaws with Dnsmasq. As for the major UK broadband ISPs, we queried last week if any of them used Dnsmasq and whether they had issued patches for the latest CVEs.
Advertisement
At the time of writing, TalkTalk informed ISPreview that they were aware of the newly-discovered Dnsmasq vulnerabilities and continuously review the security of their equipment in collaboration with their suppliers, although they didn’t say if any patches were needed or had been issued.
Meanwhile, BT promised a response yesterday, yet didn’t get one to us before end of play (we’ll update later this morning with their reply). But sadly, Sky Broadband, Vodafone, Virgin Media / O2 and a few others all failed to respond. We expect broadband provider’s to be more on the ball with such issues, particularly in light of the UK’s strict new telecoms security laws (example). In the age of AI – vendors and ISPs alike will have to move faster to keep pace.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Fibrus Reach 150,000 Customers on UK Full Fibre Broadband Network
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real person's legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.