Home
 » ISP News » 

String of Dnsmasq Vulnerabilities Threatens UK Broadband Routers

Thursday, May 28th, 2026 (12:01 am) - Score 2,520
Router with wireless network signal

A sizeable group of Linux-powered broadband ISP routers, widely used both around the world and across the United Kingdom, will need firmware updates after a string of six new security vulnerabilities were recently discovered in the open-source networking tool Dnsmasq. But most of them would require local network access to fully exploit.

The chances are fairly good that, unless you’re of the computer networking ilk, then you probably won’t have heard of Dnsmasq before. But suffice to say, a lot of consumer broadband routers make use of it because the tool contains an often-vital set of useful functions, such as Domain Name System (DNS) management, DHCP controls, local hostname resolution and other things.

NOTE: Dnsmasq can also be found in lots of general IoT devices, Linux systems, containers, and network appliances. Some of which may be less likely to benefit from regular firmware updates, thus potentially creating weak points in a wider network.

As a result, Dnsmasq can be found in everything from OpenWrt and DD-WRT to Linksys-based devices and lots of other router vendors. The catch is not that all consumer routers make use of it (there are various alternatives), so it can be a little tricky to know precisely which devices are vulnerable to the latest set of vulnerabilities. For example, FRITZ!Box routers seem to use their own propriety system and NOT Dnsmasq.

Advertisement

Just to further confuse matters, some vendors may have vulnerable base-level kit, but an ISP could then re-brand that around their own custom firmware, which might not harness Dnsmasq. In any case, the latest batch of security headaches to worry about can be found listed below (credits to Simon for the nudge):

The New Dnsmasq Vulnerabilities

CVE-2026-5172
A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end.

CVE-2026-4893
An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information.

CVE-2026-4892
A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.

CVE-2026-4891
A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.

CVE-2026-4890
A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.

CVE-2026-2291
Dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.

In terms of severity, some of the CVEs appear to be particularly nasty, with the last one on our list (CVE-2026-2291) receiving a high to critical score of 9.2 out of 10 on SUSE (CVSS v4.0) for its potential to be remotely exploited in order to conduct DNS cache poisoning, denial of service and possible remote code execution in some environments (it scores 8.1 on SUSE – CVSS v3.1). But many, if NOT all, of these CVEs require an attacker to have already gained access to your local network, which limits their severity.

However, the degree to which a device may be exposed to any of these does also vary a bit depending upon the configuration of the router (e.g. what features are enabled or disabled), although we’d expect router vendors to be actively releasing patches for these vulnerabilities regardless. The latest stable release of Dnsmasq, which fixes these issues, is v2.92 (release 2) and was published on 11th May 2026.

One notable example is GL.iNet, which bases their kit off a modified variant of OpenWrt. The company was one of the first out of the gate to release firmware that mentioned fixes for security flaws with Dnsmasq. As for the major UK broadband ISPs, we queried last week if any of them used Dnsmasq and whether they had issued patches for the latest CVEs.

Advertisement

At the time of writing, TalkTalk informed ISPreview that they were aware of the newly-discovered Dnsmasq vulnerabilities and continuously review the security of their equipment in collaboration with their suppliers, although they didn’t say if any patches were needed or had been issued.

Meanwhile, BT didn’t comment, but did inform us that they were aware of the vulnerabilities, were taking them seriously and have established processes in place to assess, prioritise and remediate issues in a hopefully timely and proportionate way. Oddly BT also indicated that none of the identified issues were classified as critical, which depends on what database you’re using (as above, several CVE databases categorise CVE-2026-2291 as being of High to Critical severity).

BT also informed that some of the vulnerabilities relate to functionality that is not supported on their hubs, while in other cases exploitation would depend on highly specific conditions, including interaction with deliberately malicious domains. BT thus believes there is a limited real-world risk for the vast majority of their customers, especially as their routers / hubs have safeguards in place to minimise exposure to malformed or malicious responses. BT plan to continue monitoring the situation while waiting for software updates from their vendors and will review their response or take more action if the risk profile changes.

Sadly, Sky Broadband, Vodafone, Virgin Media / O2 and a few others all failed to respond. We expect those broadband provider’s to be more on the ball with such issues, particularly in light of the UK’s strict new telecoms security laws (example). In the age of AI – vendors and ISPs alike will have to move faster to keep pace with the changing threat environment.

Advertisement

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Tags:
Mark-Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and .
Search ISP News
Search ISP Listings
Search ISP Reviews
Comments
9 Responses

Advertisement

  1. Avatar photo David says:

    I have a “Vodafone WiFi Hub” on the latest firmware (19.4.0551-3261161), which reports having dnsmasq version 2.83-2 on its “About” page.

    I don’t know if this is the latest version for the router because Vodafone don’t seem to publish details about firmware versions, and trying to tell the router to check for updates results in an error!

  2. Avatar photo Ray Burn says:

    Consumers I engage with all say they want to deploy these products in their deep ecosystems.

  3. Avatar photo Ivor says:

    In a way I’m glad that it’s going to be on virtually everything because it saves the tedious arguments around the quality of ISP routers vs a reassuringly expensive but not technically superior device.

    It’ll be an interesting test to see how quickly it gets patched. BT has taken a unique approach of doing their firmware development in house so in theory this could be quicker than the competition who rely on the same two or three companies. I guess the fact that they’ve already responded shows the difference it can make.

    1. Avatar photo Big Dave says:

      BT doing its own in house firmware ain’t no guarantee. I remember how dreadful the early firmware on the Smart Hub 1 was – it took multiple updates before they sorted it.

    2. Avatar photo Ivor says:

      The SH1 and SH2 were OEM jobs. The EE Smart Hub 3/Plus was the first to use their new in house “Indigo” firmware.

  4. Avatar photo Ad47uk says:

    I have heard of it, something to do with a local DNS server or something like that, allows providers control of the router? I think. Not really taken a lot of notice.

    I am glad I use my own router, update it when I want to.

    1. Avatar photo 84.08khz says:

      No, you’re not capable of managing the security of your router. You’ll find it gets updated when the bad actors who actually control it decide to.

  5. Avatar photo Roger says:

    2nd router and use OpenWRT
    Simple.
    Don’t trust your suppliers router.Absolute rubbish.

    1. Avatar photo Bevster69uk says:

      The article clearly states that OpenWRT is potentially vulnerable to this too, as dnsmasq can be used on OpenWRT too.

Leave a Reply

Your email address will not be published. Required fields are marked *

NOTE: Your comment may not appear instantly (it may take several hours) due to static caching and moderation checks by the anti-spam system. Please be patient. We will reject comments that spam, troll, post via known fake IP/proxy servers or fall foul of our Online Safety and Content Policy.
Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real person's legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
100Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £22.99
145Mbps
Gift: £155 Reward Card
Sky UK ISP Logo
Sky £23.00
100Mbps
Gift: None
NOW UK ISP Logo
NOW £23.00
100Mbps
Gift: None
BT UK ISP Logo
BT £23.99
150Mbps
Gift: £100 BT Reward Card
Large Availability | View All
Promotion
Cheap Unlimited Mobile SIMs
giffgaff UK ISP Logo
giffgaff £14.00
Contract: 18 Months
Data: Unlimited
iD Mobile UK ISP Logo
iD Mobile £16.00
Contract: 1 Month
Data: Unlimited
Talkmobile UK ISP Logo
Talkmobile £16.95
Contract: 1 Month
Data: Unlimited
Smarty UK ISP Logo
Smarty £17.00
Contract: 1 Month
Data: Unlimited
Sky UK ISP Logo
Sky £20.00
Contract: 12 Months
Data: Unlimited
New Forum Topics
Cheapest ISPs for 100Mbps+
Community Fibre UK ISP Logo
100Mbps
Gift: None
Gigaclear UK ISP Logo
Gigaclear £19.00
300Mbps
Gift: None
toob UK ISP Logo
toob £19.50
150Mbps
Gift: None
Grain Connect UK ISP Logo
250Mbps
Gift: None
Zzoomm UK ISP Logo
Zzoomm £21.00
200Mbps
Gift: None
Large Availability | View All
Promotion
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact