On May 11, CERT released six critical security vulnerabilities in dnsmasq, the lightweight DNS and DHCP server embedded in millions of routers, IoT devices, and Linux systems worldwide. The flaws enable attackers to poison DNS caches, escalate privileges to root on Linux systems, and launch denial-of-service attacks. Patches are available, but the vast majority of affected consumer routers will never receive updates, leaving millions of devices permanently vulnerable.
What is Dnsmasq and Why Should You Care?
Dnsmasq is a lightweight DNS forwarding and DHCP server that’s been the invisible workhorse of home networks for over 20 years. It’s embedded in most consumer router firmware, built into Android, and included in nearly every Linux distribution. If you’ve connected to Wi-Fi at home, you’ve probably used dnsmasq without knowing it existed.
The software was created by British developer Simon Kelley in the early 2000s and has been maintained essentially solo ever since. For most of its life, it was a spare-time project, only recently becoming his full-time work after winning the 2024 BlueHats Prize for maintaining critical infrastructure.
The Vulnerabilities: DNS Poisoning and Root Privilege Escalation
The six CVEs range from medium to critical severity. CVE-2026-2291, a heap buffer overflow, enables DNS cache poisoning. Attackers can inject false DNS entries, redirecting users from bank.com to phishing servers. CVE-2026-4892 allows local attackers to escalate privileges to root on Linux systems through a crafted DHCPv6 packet.
The remaining four CVEs enable denial-of-service attacks through infinite loops in DNSSEC validation, memory information disclosure, and process crashes through malformed DNS responses.
Here’s the kicker: according to the dnsmasq changelog, “these are all long-standing bugs which apply to pretty much all non-ancient versions.” These vulnerabilities existed for years in publicly available code. So much for “many eyes make all bugs shallow.”
The Patching Divide: Two Worlds of Security
Linux system administrators are already patching their servers. Dnsmasq version 2.92rel2 was released on May 12 with fixes for all six CVEs. Debian, Ubuntu, and RHEL are pushing emergency updates. Servers will be secured within days.
Meanwhile, millions of consumer routers will never be patched. Router manufacturers typically abandon support after 1-3 years, and most devices are already past that window. As one security analysis noted, “routers do not usually make it obvious when they are no longer being maintained and can keep doing their job on the surface while quietly falling out of support.”
The KV Botnet was built on Cisco RV320 and Netgear routers abandoned years earlier. Operation WrtHug compromised tens of thousands of end-of-life ASUS routers. When vulnerabilities pile up on unpatched devices, hackers don’t need new flaws. They recycle old ones that still work.
One Person Maintained This for 20 Years
Dnsmasq is embedded in millions of devices that generate billions in revenue for router manufacturers, yet Simon Kelley maintained it for free for roughly two decades.
This isn’t unique to dnsmasq. Sixty percent of open source maintainers remain unpaid, and 44% cite burnout. In November 2025, Kubernetes retired Ingress NGINX not because it was obsolete but because maintainers working nights and weekends couldn’t sustain it.
The current model is broken. We expect people to maintain critical infrastructure in their spare time for free while companies build billion-dollar businesses on their work. The fact that these dnsmasq bugs existed for years despite public source code should end the “many eyes” open source security myth. Eyes don’t matter if they’re not looking, and volunteer code review is no substitute for funded security audits.
What You Should Do
If you’re running dnsmasq on servers, patch immediately. Check your version with dnsmasq --version and update to 2.92rel2 or later. Consider alternatives like systemd-resolved or unbound.
If you have a home router, the reality is harsher. Your router is probably vulnerable and won’t be fixed. You can check for firmware updates, but they likely don’t exist. Options: replace with an actively supported model, flash open-source firmware like OpenWrt if you’re technical, or accept the risk.
For the industry, we need mandatory security update requirements for IoT devices with minimum five-year support periods. Initiatives like the Open Source Endowment are creating permanent funding for critical projects, but adoption remains slow.
The Bigger Picture
The dnsmasq vulnerabilities are breaking news, but they’re a symptom of systemic failure. We’ve built critical internet infrastructure on volunteer labor and are now surprised when cracks appear. The patching divide between enterprise systems and consumer devices means millions remain vulnerable to attacks we already know how to prevent.
Simon Kelley did his job. He released patches within 24 hours of disclosure. The question is whether router manufacturers, regulators, and the industry will do theirs.
