{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-09T00:00:00Z",
  "bugzilla" : {
    "description" : "dnsmasq: dnsmasq: heap buffer overflow in cache via NAME_ESCAPE expansion",
    "id" : "2439088",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2439088"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-131",
  "details" : [ "dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.", "A heap buffer overflow was discovered in dnsmasq's DNS cache. When processing DNS responses, dnsmasq expands certain characters into longer escape sequences, but the cache buffer is not sized to hold the expanded result. A specially crafted DNS response can overflow this buffer, potentially crashing the dnsmasq process or poisoning DNS cache records." ],
  "statement" : "Red Hat rates this issue as Moderate rather than Important. While DNS cache poisoning is possible, a process crash is the most likely outcome of a successful exploit. Also, standard upstream DNS resolvers reject the malformed responses before they reach dnsmasq, limiting exploitation to uncommon configurations where dnsmasq forwards directly to an attacker-controlled server.",
  "acknowledgement" : "Red Hat would like to thank Andrew Fasano (NIST) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19158",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "dnsmasq-0:2.90-7.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19373",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dnsmasq-0:2.85-18.el9_8.1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "dnsmasq",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "dnsmasq",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "dnsmasq",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-2291\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2291" ],
  "name" : "CVE-2026-2291",
  "csaw" : false
}