Attack Chain

1. Attacker identifies a target dnsmasq server running with the --dhcp-split-relay option enabled.
2. Attacker crafts a malicious BOOTREPLY packet specifically designed to trigger the out-of-bounds write vulnerability.
3. The attacker sends the crafted BOOTREPLY packet to the targeted dnsmasq server.
4. The dnsmasq server processes the malicious packet, leading to an out-of-bounds write in memory.
5. Memory corruption occurs due to the out-of-bounds write.
6. The dnsmasq daemon encounters a critical error due to the memory corruption.
7. The dnsmasq daemon crashes, interrupting DNS and DHCP services.
8. Legitimate clients are unable to resolve domain names or obtain IP addresses, resulting in a denial of service.

Impact

Successful exploitation of CVE-2026-6507 leads to a denial-of-service condition, disrupting network connectivity and potentially affecting all clients relying on the vulnerable dnsmasq server for DNS and DHCP services. The impact ranges from temporary network outages to complete service unavailability, depending on the criticality of the affected dnsmasq instance. The number of affected systems will vary based on the prevalence of dnsmasq deployments with the --dhcp-split-relay option enabled.

Recommendation

• Apply the patch or upgrade to a non-vulnerable version of dnsmasq as provided by the vendor to remediate CVE-2026-6507 (https://nvd.nist.gov/vuln/detail/CVE-2026-6507).
• Disable the --dhcp-split-relay option in dnsmasq configuration if it is not required, mitigating the attack vector (https://nvd.nist.gov/vuln/detail/CVE-2026-6507).
• Monitor network traffic for malformed BOOTREPLY packets targeting dnsmasq servers, using the “Detect Malformed BOOTREPLY Packets” Sigma rule.
• Enable process crash monitoring on systems running dnsmasq to detect potential crashes resulting from exploitation attempts, using the “Detect Dnsmasq Process Crash” Sigma rule.