dnsmasq security update

This release imports six upstream dnsmasq security fixes, covering all publicly disclosed CVEs against the dnsmasq 2.92/2.93 line. Patches are taken verbatim from https://thekelleys.org.uk/dnsmasq/CVE/

CVEs fixed

• CVE-2026-2291 — Heap OOB write in struct bigname. The on-heap namebuffer was sized for the wire form of a domain name (MAXDNAME) rather than its escaped internal form (MAXDNAME*2 + 1). A remote peer that can send or answer DNS queries could cause a large out-of-bounds write on the heap. Reported by Andrew S. Fasano.

• CVE-2026-4890 — DNSSEC denial of service via NSEC bitmap parsing.The window-iteration step omitted the 2-byte window header, so a crafted NSEC record with bitmap_length == 0 produced an infinite loop and dnsmasq stopped answering queries. Reachable before RRSIG validation,so no valid signatures are required to trigger it. Reported by Royce M.

• CVE-2026-4891 — DNSSEC crash via crafted RRSIG. A packet declaring an rdlen smaller than the fixed RRSIG header plus signer's name produced a negative signature length and a subsequent crash. Reported by Royce M.

• CVE-2026-4892 — Privileged buffer overflow in the DHCP helper.When --dhcp-script is configured, hex-encoded DHCPv6 client identifiers (up to 65535 bytes) were written into a 5131-byte buffer in the root-privileged helper. Reported by Royce M.

• CVE-2026-4893 — EDNS Client Subnet validation bypass. With--add-subnet enabled, process_reply() passed the OPT record length(~23 bytes) to check_source() instead of the packet length, causing every internal bounds check to fail and the validation routine to always return success. ECS source validation per RFC 7871 §9.2 was effectively disabled. Reported by Royce M.

• CVE-2026-5172 — Heap OOB read in extract_addresses(). A mismatched RR rdlen allowed extract_name() to advance past the computed end of the record, underflowing the remaining-bytes calculation and producing a large OOB read with certain crash.Reported by Hugo Martinez Ray.

Upgrade impact

All six fixes are minimal, self-contained changes to the embedded dnsmasq sources. No FTL-side configuration or API changes; users should see no observable behavior change beyond the closed vulnerabilities.

Fix dnsmasq CVE publications by @DL6ER in #2888

This furthermore indirectly fixes #2871 due to pi-hole/docker-base-images#158

Full Changelog: v6.6.1...v6.6.2

What's Changed

• Add new GET /api/config/_properties endpoint by @DL6ER in #2356
• Fix thread-safety issues causing SIGSEGV under concurrent API load by @DL6ER in #2835
• fix: fix rare race condition for SHM strings in API handlers by @DL6ER in #2833
• Accept punycode domains that libidn2 rejects under IDNA2008 by @DL6ER in #2838
• Improve shutdown diagnostics to identify SIGTERM source by @DL6ER in #2839
• Resolve empty backtraces when addr2line is not installed by @DL6ER in #2831
• Improve thread-safety for concurrent API requests by @DL6ER in #2847
• Don't skip device lookup when resolver.macNames is disabled by @DL6ER in #2846
• Fix linker error when compiling w/o optimization by @aeolio in #2850
• Clarify dns.blockESNI wording by @darkexplosiveqwx in #2784
• Preserve log file path config when fopen fails by @DL6ER in #2834

Security advisories

• GHSA-6w8x-p785-6pm4
  • Fixed with : 88c569a and pi-hole/pi-hole@7ccb8dd
• GHSA-9cqv-839p-gpq2
  • Fixed with : 0c46e4e

New Contributors

• @darkexplosiveqwx made their first contribution in #2784

Full Changelog: v6.6...v6.6.1

What's Changed

• Fix possible resolver issue on armv5tel by @DL6ER in #2781
• Introduce CMake options for optional dependencies by @aeolio in #2795
• Fix build without mbedtls [v2] by @aeolio in #2796
• Fix overTime data when database.DBimport = false by @DL6ER in #2788
• Fix cross-compilation issues w/ custom toolchain by @aeolio in #2797
• Add new option for controling name resolution via MAC address by @DL6ER in #2790
• Fix obtaining client groups by name by @DL6ER in #2791
• Ensure API sessions are restored before starting the HTTP server by @DL6ER in #2803
• Add form-action 'self' to Content-Security-Policy by @yubiuser in #2804
• Add query_frequency to /padd endpoint by @yubiuser in #2806
• Guard query-count counters against unsigned underflow by @DL6ER in #2815
• Add universal crash backtrace via _Unwind_Backtrace by @DL6ER in #2811
• config: show totp_secret presence in CLI output by @DL6ER in #2813
• Fix client count inflation for rate-limited queries by @DL6ER in #2814
• Fix stack buffer overflow in get_process_name() by @DL6ER in #2821
• Do not restart FTL while pihole -g is still ongoing by @DL6ER in #2419

Security Advisories

• GHSA-r7g8-3fj7-m5qq - Authorization bypass: CLI API sessions can import Teleporter archives and modify configuration reported by @mzalzahrani
• Remote Code Execution (RCE) via Newline Injection in Multiple Configuration Parameters reported by @T0X1Cx
  • pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c
  • pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp
  • pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m
  • pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj
  • pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj

New Contributors

• @aeolio made their first contribution in #2795

Full Changelog: v6.5...v6.6

What's Changed

• Tweak undocumented wait-for option subtly by @DL6ER in #2707
• update gravity - improve domain validation processing speed by @rrobgill in #2710
• Update embedded SQLite3 to 3.51.1 by @DL6ER in #2731
• Update embedded dnsmasq to 2.92rc1 by @DL6ER in #2730
• Fix documentation - Do not use equal sign with pihole-FTL --config command by @rdwebdesign in #2736
• Add dns.cache.rrtype by @Manakuremati in #2740
• Enhancements to the documentation markdown generator by @PromoFaux in #2741
• Network Overview - obtain MAC and hostname from dhcp.leases by @rrobgill in #2727
• fix: make get_domains parameters optional by @tien in #2278
• Escape unprintable characters in invalid host names by @DL6ER in #2601
• Implement better allOf handling in API verifier by @DL6ER in #2745
• Update build containers to Alpine 3.23 by @DL6ER in #2743
• Add option to hide network connection errors by @DL6ER in #2749
• Harden default Content Security Policy (CSP) by @Erasure5959 in #2754
• Fix computation of NTP server's root delay by @DL6ER in #2760
• Teleporter: Fix for custom gravity.db path by @DL6ER in #2758
• Upgrade embedded Lua to 5.5 by @DL6ER in #2626
• Add missing [forwarded] property in GET /api/history/database by @DL6ER in #2750
• Update SQLite3 to 3.51.2 by @DL6ER in #2761
• Low-memory hardware optimizations by @DL6ER in #2757
• Reduce startup delay by @DL6ER in #2725
• home.arpa and internal TLDs may be non-local without revServer by @DL6ER in #2772

New Contributors

• @Erasure5959 made their first contribution in #2754

Full Changelog: v6.4.1...v6.5

Nothing to see here - accidentally tagged the wrong commit for the big 6.4 release. Content is exactly the same as v6.4

What's Changed

• Fix API specs and example for dns.upstreams in config.yaml by @rdwebdesign in #2696
• gravity update - silently discard unicode BOM if present by @rrobgill in #2702
• Update embedded SQLite to 3.51.0 by @DL6ER in #2704
• Get earliest query timestamp from database by @PromoFaux in #2706
• Increase buffer length for query string by @mwoolweaver in #2709
• Reduce DNS resolver locking during database interaction by @DL6ER in #2700
• Make colour output optional in streaming gravity API call by @PromoFaux in #2718
• api/dhcp/leases Allow for hwaddr > 48 bits by @rrobgill in #2724
• Add rate-limiting for TOTP validation by @DL6ER in #2719
• Implement simple partial matching for regex in /api/search/{domain} by @DL6ER in #2705
• Performance optimizations: string processing, memory management, and compiler flags by @Copilot in #2571
• Fix authentication redirect when webhome is / (fixes #2518) by @averyvigolo in #2610
• Reduce database locking and add timing debug setting by @DL6ER in #2688

New Contributors

• @mwoolweaver made their first contribution in #2709
• @Copilot made their first contribution in #2571
• @averyvigolo made their first contribution in #2610

Full Changelog: v6.3.3...v6.4.1

What's Changed

• Fix API specs and example for dns.upstreams in config.yaml by @rdwebdesign in #2696
• gravity update - silently discard unicode BOM if present by @rrobgill in #2702
• Update embedded SQLite to 3.51.0 by @DL6ER in #2704
• Get earliest query timestamp from database by @PromoFaux in #2706
• Increase buffer length for query string by @mwoolweaver in #2709
• Reduce DNS resolver locking during database interaction by @DL6ER in #2700
• Make colour output optional in streaming gravity API call by @PromoFaux in #2718
• api/dhcp/leases Allow for hwaddr > 48 bits by @rrobgill in #2724
• Add rate-limiting for TOTP validation by @DL6ER in #2719
• Implement simple partial matching for regex in /api/search/{domain} by @DL6ER in #2705
• Performance optimizations: string processing, memory management, and compiler flags by @Copilot in #2571
• Fix authentication redirect when webhome is / (fixes #2518) by @averyvigolo in #2610
• Reduce database locking and add timing debug setting by @DL6ER in #2688

New Contributors

• @mwoolweaver made their first contribution in #2709
• @Copilot made their first contribution in #2571
• @averyvigolo made their first contribution in #2610

Full Changelog: v6.3.3...v6.4

What's Changed

• Fix crash in NTP error handling code by @DL6ER in #2684
• Add validation for ntp.sync.server by @DL6ER in #2667
• Be more explicit about required path and query parameters for list manipulation by @yubiuser in #2689
• Pi-hole FTL v6.3.3 by @DL6ER in #2693

Full Changelog: v6.3.2...v6.3.3

What's Changed

• Fix pihole.format_path() memory handling by @DL6ER in #2675

Full Changelog: v6.3.1...v6.3.2

What's Changed

• Fix pihole.format_path(string) modifying string in-place by @DL6ER in #2661
• Do not try to renew certificate that is not used by @DL6ER in #2666
• Replace dots with underscores when creating env var examples by @rdwebdesign in #2669
• Grammar corrections in documentation by @alexxroche in #2670
• Add new config option for hiding some warnings from diagnosis system by @DL6ER in #2657

New Contributors

• @alexxroche made their first contribution in #2670

Full Changelog: v6.3...v6.3.1

What's Changed

• Tests - fix PTR test by @rrobgill in #2516
• Reply to address queries in .localhost domain (RFC6171) by @rrobgill in #2517
• dhcp-discover: Fix string processing by @rrobgill in #2519
• [RFC] Prevent .internal queries from being upstreamed. Draft draft-davies-internal-tld-03 by @Tooa in #2474
• Add dns.localise by @Manakuremati in #2524
• Webserver: Allow webhome to be root by @rrobgill in #2521
• api/network Avoid NULL string comparison logspam by @rrobgill in #2526
• request_info.is_authenticated needs to be initialized explicitly with… by @DL6ER in #2533
• Allow forcing color in CLI output by @DL6ER in #2538
• Simplify CI build by removing the composite action by @yubiuser in #2511
• Rename flushing arp > flushing network by @yubiuser in #2541
• Update embedded SQLite3 engine to 3.50.2 by @DL6ER in #2544
• Add pihole-FTL create-default-config option and use it to upload pihole.toml to ftl.pi-hole.net by @yubiuser in #2540
• Allow low-level header manipulation from Lua pages by @DL6ER in #2535
• Fix foreign fork PRs by @DL6ER in #2543
• Update package-lock.json to fix npm vuln by @XhmikosR in #2555
• Update rapidoc to v9.3.8 by @XhmikosR in #2556
• Add missing 'took' fields to API spec response examples by @tsutsu3 in #2466
• Remove domain type from domainNeeded help text by @yubiuser in #2564
• Update embedded dnsmasq to v2.92test16 by @DL6ER in #2570
• Config typo correction by @rrobgill in #2572
• Support IPv6 in the DHCP API by @DL6ER in #2554
• Add sigrtmin option by @jacklul in #2574
• NTP ipv6 crash fix - ntp reply & logging by @rrobgill in #2569
• Add 'never-stale' to stale issue exempt lable list by @yubiuser in #2578
• Upgrade TOML library to tomlc17 by @DL6ER in #2579
• Add warning to the config markdown by @yubiuser in #2580
• Automatically detect DNS interface when empty in pihole.toml by @DL6ER in #2456
• Make type a required parameter for PUT and DELETE /lists by @DL6ER in #2530
• Update embedded SQLite3 to 3.50.3 by @DL6ER in #2576
• Remove remaining traces of ARP flush by @yubiuser in #2545
• Improve CNAME behavior of pi.hole by @DL6ER in #2585
• Add colors to the --config output by @DL6ER in #2584
• fix: change type of disk parameter for GET /queries by @ninjack-dev in #2589
• Improve default CSP headers by @DL6ER in #2575
• Improve already running detection by @DL6ER in #2591
• Update embedded SQLite3 to 3.50.4 by @DL6ER in #2592
• Fix debug output association by @DL6ER in #2594
• Fix FTL running behing reverse-proxy with prefix by @DL6ER in #2595
• Update embedded dnsmasq by @DL6ER in #2587
• Implement netlink ARP cache handling by @DL6ER in #2600
• Add autocomplete feature by @DL6ER in #2593
• Update embedded dnsmasq to v2.92test19 by @DL6ER in #2603
• Fix dns.interface comment by @rdwebdesign in #2597
• Fix logic in automatic interface determination (when dns.interface = "") by @DL6ER in #2607
• Fix default value autocomplete suggestions by @DL6ER in #2609
• Update dnsmasq to v2.92test21 by @DL6ER in #2614
• Fix cache-optimizer queries in Query Log by @DL6ER in #2619
• Update embedded CivetWeb by @DL6ER in #2621
• Do not set domainname when the kernel replies with "(none)" by @DL6ER in #2620
• Fix dns.hosts help text to show multiple hostnames per IP are allowed by @rdwebdesign in #2623
• Improve memory handling by @DL6ER in #2617
• Pin github actions to SHA by @yubiuser in #2615
• Bump the github_action-dependencies group across 1 directory with 6 updates by @dependabot[bot] in #2628
• Be more gracefully when validating dns_hosts by @yubiuser in #2624
• Implement automatic TLS/SSL certificate renewals by @DL6ER in #2463
• Fix HOSTS file rotation test which was hiding in fast runners by @yubiuser in #2630
• Suggest IP addresses instead of names for upstream by @DL6ER in #2444
• Make restarting optional in API config endpoints by @DL6ER in #2632
• Ensure queries with ID 0 are stored to the long-term queries database by @DL6ER in #2633
• Ensure we can log until the very end by @DL6ER in #2634
• Bump github/codeql-action from 3.30.3 to 3.30.5 in the github_action-dependencies group across 1 directory by @dependabot[bot] in #2636
• Fix long-term database insertion by @DL6ER in #2583
• Add webserver.advancedOpts by @DL6ER in #2635
• Add new dns.domain.local and rename dns.domain -> dns.domain.name by @DL6ER in #2531
• Bump the github_action-dependencies group across 1 directory with 3 updates by @dependabot[bot] in #2641
• Allow escaping special single-character wildcard "_" when doing partial matching by @DL6ER in #2550
• Expose both total and enabled for gravity tables by @DL6ER in #2177
• Improve gravity database resilience by @DL6ER in #2605
• Add custom SQLite busy callback by @DL6ER in #2602
• Add %MEM and %CPU of FTL to GET info/system by @DL6ER in #2645
• Try to load system load averages from /proc/loadavg first by @tpjanssen in #2644
• Fix database busy handler initialization by @DL6ER in #2646
• Fix POST /lists example by @DL6ER in #2649
• Improve CPU utilization reporting by @DL6ER in #2647
• Bump the github_action-dependencies group across 1 directory with 2 updates by @dependabot[bot] in #2651
• Implement selection of TLS ciphers for mbedtls by @DL6ER in #2638
• Bump the github_action-dependencies group across 1 directory with 3 updates by @dependabot[bot] in #2654

New Contributors

• @Tooa made their first contribution in #2474
• @Manakuremati made their first contribution in #2524
• @ninjack-dev made their first contribution in #2589
• @tpjanssen made their first contribution in #2644

Full Changelog: v6.2.3...v6.3