CVE-2026-6507: dnsmasq Out-of-Bounds Write

Executive Summary

I have analyzed CVE-2026-6507, a memory corruption vulnerability within the DNS forwarder and DHCP server application, dnsmasq (v2.92). The flaw allows a remote, unauthenticated attacker to trigger a heap-based out-of-bounds write via a crafted BOOTREPLY packet. Successful exploitation results in a DoS condition, causing the service to crash.

Vulnerability Analysis

The issue stems from inadequate input validation within the DHCP relay logic when the —dhcp-split-relay configuration option is active. My examination of src/rfc2131.c reveals that the memset operation performs an out-of-bounds write past the allocated receive buffer.

Technical Insight

The heap allocation size is determined precisely by the length of the incoming packet. When an OPTION_AGENT_ID is processed near the end of a 552-byte packet, the subsequent zeroing operation extends beyond the buffer boundary, corrupting the heap metadata.

Exploitation Mechanics

The exploitation primitive relies on placing a specifically crafted RFC 3046-conformant Agent Information option at the tail of a valid BOOTREPLY frame. This forces the internal memory management routines to invalidate subsequent blocks, leading to immediate process termination.

1. Identify a target instance of dnsmasq with —dhcp-split-relay enabled.
2. Craft a 552-byte packet incorporating a malformed Agent Information option.
3. Transmit the payload to the service.
4. Observe heap corruption via memory management error logs.

Forensic Evidence

Analysis of compromised systems typically reveals:

• Unexpected process crashes logged in the system journal.
• Evidence of heap corruption in core dumps.
• Malformed DHCP traffic patterns captured in network pcaps.

Detection Logic

To detect exploitation attempts, I recommend focusing on service instability metrics and anomalous network traffic.

Sigma

Sigma Detection

title: Dnsmasq Out-of-Bounds Write Attempt
status: experimental
logsource:
    product: linux
    service: dnsmasq
detection:
    condition: dnsmasq_crash
    dnsmasq_crash:
        - selection: Process crash or SIGABRT in dnsmasq

KQL

KQL Query

DeviceEvents
| where FileName =~ "dnsmasq"
| where ActionType =~ "ProcessCrash"
| extend Message = parse_json(AdditionalFields)
| where Message.Signal in ("SIGABRT", "SIGSEGV")