Ad blocker Pi-hole: Update patches code smuggling and privilege escalation flaws
The developers have updated the DNS-based ad blocker Pi-hole. The update patches highly risky security holes.
(Image: heise medien)
The developers of the DNS-based ad blocker Pi-hole released updated packages over the weekend. They close two security vulnerabilities that are considered highly risky.
The updates apply to the Pi-hole Core and FTL (Faster-Than-Light, Pi-hole's DNS server) components. One vulnerability affects both components and allows attackers to escalate their privileges on vulnerable systems. The developers explain that the Pi-hole user has write access to the central configuration file “/etc/pihole/pihole.toml”. Two shell scripts read the path to the “files-pid” file and use it without further checks for installation and deletion – while running as root (“pihole-FTL-prestart.sh” and “pihole-FTL-poststop.sh”). Attackers with Pi-hole privileges can therefore delete and create files with root privileges, even outside the protected directory. The advisory mentions an example that achieves local root privileges by manipulating the authorized_keys file for SSH (CVE-2026-41489, CVSS 8.8, risk “high”).
Insufficient filtering in the “dns.interface” configuration field in Pi-hole FTL causes newline characters to be accepted. Attackers can smuggle arbitrary directives into the dnsmasq configuration. The widespread configuration without an admin password allows API access without credentials. Malicious actors can smuggle a “dhcp-script=” directive and activate DHCP. As soon as a device in the network requests a DHCP lease, arbitrary commands can be executed (CVE-2026-39849, CVSS 8.7, risk “high”).
Vulnerable Software
Pi-hole Core and Pi-hole FTL from version 6.0 onwards are vulnerable. The updates to the new versions Pi-hole Core 6.4.2 and Pi-hole FTL 6.6.1 or newer correct the security-relevant errors. On the Raspberry Pi, where the software runs by default, the command sudo pihole -up updates the ad blocker.
Videos by heise
Most recently, the Pi-hole project closed security vulnerabilities at the beginning of April. Among other things, they allowed attackers to inject malicious code.
(dmk)
