The dnsmasq packages in Red Hat Enterprise Linux 9 contain multiple security vulnerabilities, including a heap buffer overflow via NAME_ESCAPE expansion (CVE-2026-2291), an infinite loop in NSEC bitmap parsing (CVE-2026-4890), a heap out-of-bounds read due to RRSIG rdlen underflow (CVE-2026-4891), a DHCPv6 CLID buffer overflow in the helper process (CVE-2026-4892), and a broken ECS source validation bypass (CVE-2026-4893). These vulnerabilities affect the DNS and DHCP server components of dnsmasq, potentially impacting system stability and security. Red Hat has released updated dnsmasq packages for various architectures and versions of Red Hat Enterprise Linux 9 to address these issues. The advisory is classified as important, with a high severity rating, and users should refer to the official Red Hat advisory RHSA-2026:19373 for update instructions.

The identified vulnerabilities in dnsmasq could lead to heap buffer overflows, infinite loops, out-of-bounds memory reads, and bypass of source validation, which may cause denial of service or other security impacts on systems running affected versions of Red Hat Enterprise Linux 9. The issues affect core DNS forwarding and DHCP server functionality, potentially impacting network services. Red Hat rates the security impact as important with a high severity level. There are no known exploits in the wild at the time of the advisory.

Red Hat has released updated dnsmasq packages that address these vulnerabilities. Users of affected Red Hat Enterprise Linux 9 versions should apply the security update as described in Red Hat advisory RHSA-2026:19373. Detailed instructions for applying the update are available at https://access.redhat.com/articles/11258. No additional mitigations are indicated by the vendor advisory. Patch status is confirmed as an official fix available via the updated packages.