2458518 – (CVE-2026-4892) CVE-2026-4892 dnsmasq: DHCPv6 CLID buffer overflow in helper process

Bug 2458518 (CVE-2026-4892) - CVE-2026-4892 dnsmasq: DHCPv6 CLID buffer overflow in helper process

Summary: CVE-2026-4892 dnsmasq: DHCPv6 CLID buffer overflow in helper process

Keywords:
Status:	NEW
Alias:	CVE-2026-4892
Deadline:	2026-05-09
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-14 22:50 UTC by OSIDB Bzimport
Modified:	2026-05-12 17:00 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-14 22:50:33 UTC

In helper.c:265, the DHCPv6 CLID is hex-encoded via sprintf("%.2x") into daemon->packet (5,131 bytes) with no length cap on the CLID. DHCPv6 CLIDs can be up to 65,535 bytes (131,070 hex characters). The helper process retains root privileges. log6_packet() already caps CLID to 100 bytes for logging, but the helper code path was missed. Fix: add && i < 100 bound to the encoding loop, matching the logging cap.

Note You need to log in before you can comment on or make changes to this bug.