ALAS2DNSMASQ-2026-003

Amazon Linux 2 Security Advisory: ALAS2DNSMASQ-2026-003
Advisory Released Date: 2026-05-14
Advisory Updated Date: 2026-06-08

Severity: Important

References: CVE-2026-2291
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS. (CVE-2026-2291)

Affected Packages:

dnsmasq

Note:

This advisory is applicable to Amazon Linux 2 - Dnsmasq Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update dnsmasq or yum update --advisory ALAS2DNSMASQ-2026-003 to update your system.

New Packages:

aarch64:
    dnsmasq-2.90-1.amzn2.0.2.aarch64
    dnsmasq-utils-2.90-1.amzn2.0.2.aarch64
    dnsmasq-debuginfo-2.90-1.amzn2.0.2.aarch64

src:
    dnsmasq-2.90-1.amzn2.0.2.src

x86_64:
    dnsmasq-2.90-1.amzn2.0.2.x86_64
    dnsmasq-utils-2.90-1.amzn2.0.2.x86_64
    dnsmasq-debuginfo-2.90-1.amzn2.0.2.x86_64

Changelog:

2026-06-08: CVE-2026-2291 was added to this advisory.

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2026-2291

Mitre: CVE-2026-2291