Security Advisory 2017-020

Release Date:

Critical Vulnerabilities Impacting Dnsmasq



  • 04/10/2017 --- v1.0 -- Initial publication


On October 2nd, 2017, Google published a blog post detailing several critical vulnerabilities impacting dnsmasq. Dnsmasq is widely used in Linux and BSD distributions, Android devices and proprietary firmwares for for serving DNS, DHCP, router advertisements, and network boot. It is often exposed to Internet and widely used on internal networks.

Google worked with dnsmasq developers to patch vulnerabilities before releasing proof of concept code [4] and a patch file [5].

The vulnerabilities allow an attacker to perform remote code execution (3 vulnerabilities), to get access to sensitive information (1 vulnerability), or to perform a denial-of-service attack on the service (3 vulnerabilities).

Technical Details

  • CVE-2017-14491: DNS-based remote code execution via heap based overflow (2 bytes)
  • CVE-2017-14492: DHCP-based remote code execution via heap based overflow -- could be used to bypass ASLR if used in combination with CVE-2017-14494
  • CVE-2017-14493: DHCP-based remote code execution via stack based overflow
  • CVE-2017-14494: DHCP-based Information leak -- could be used to bypass ASLR
  • CVE-2017-14495: DNS-based denial-of-service
  • CVE-2017-14496: DNS-based denial-of-service, also affecting Android
  • CVE-2017-13704: DNS-based denial-of-service

Products Affected

  • Dnsmasq < 2.78


Fix is available through an upgrade to Dnsmasq version 2.78. [2]

For Android devices, Google released a patch in the October 2017 Security Bulletin [3]. For other Linux and BSD distributions contact your distribution maintainers for a fix.


[1] Google blog post

[2] Dnsmasq changelog

[3] Android Security Bulletin -- October 2017

[4] Proof of Concept code for vulnerabilities

[5] Patch for dnsmasq source code

We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.