Pi-hole update closes dnsmasq security vulnerabilities
The Pi-hole project has released the update to FTL 6.6.2. It closes vulnerabilities in dnsmasq. Other projects are likely to follow.
A security update is available for Pi-hole.
(Image: heise medien)
With the update to FTL 6.6.2, the Pi-hole project is closing several security vulnerabilities in the DNS-based ad blocker for Raspberry Pis. They affect the included DHCP and DNS server dnsmasq.
In the release announcement for Pi-hole FTL 6.6.2, the developers discuss closing the security vulnerabilities that became known in dnsmasq 2.92 and 2.93 and which CERT.org has been warning about since Monday this week, for example. The risk assessment of the vulnerabilities, for instance, according to CVSS, is not yet available. However, many projects are likely to provide updates soon to patch the dnsmasq vulnerabilities, especially since the reputable CERT is warning about them. In addition to Pi-hole, CERT lists Arch Linux, NixOS, Red Hat, SUSE Linux, Ubuntu, and Wind River as affected.
The vulnerabilities include, for example, a buffer overflow on the heap that can be triggered with manipulated DNS responses (CVE-2026-2291), a buffer overflow in the DHCP helper script (CVE-2026-4892), read accesses beyond the intended memory limits of the heap (CVE-2026-5172), a bypass of a subnet check in the EDNS client (CVE-2026-4893), and two denial-of-service vulnerabilities in DNSSEC (CVE-2026-4890, CVE-2026-4891). CERT writes that this could allow code execution, for example, with root privileges, or attackers could manipulate the cache (Cache Poisoning/Redirection). The dnsmasq project is patching the security holes in versions 2.92rel2 and 2.93.
Pi-hole: Updated Software
The maintainers do not specify the software version up to which Pi-hole is vulnerable to the dnsmasq vulnerabilities. As a solution, Pi-hole users should definitely migrate to the current 6.x version. The update can be applied to the system by calling sudo pihole -up on the terminal of the used Raspberry Pi.
Videos by heise
Most recently, the Pi-hole project released a security update at the end of April. The programmers closed two high-risk security vulnerabilities. At that time, the Pi-hole Core and FTL components were also affected. The vulnerabilities allowed attackers to escalate privileges. They impact the scripts included with Pi-hole before versions Core 6.4.2 and FTL 6.6.1. Attackers with Pi-hole privileges – for example, by exploiting a previously unknown security vulnerability in the web interface – could thus acquire root privileges (CVE-2026-41489, CVSS 8.8, Risk “high”). A more detailed analysis of the vulnerability is available on GitHub, and the associated CVE entry was only published late Tuesday night in NIST's NVD database.
(dmk)
