Six CVEs hit dnsmasq as AI-driven bug hunting overwhelms maintainer

CERT disclosed six serious, long-standing vulnerabilities in dnsmasq on May 11, 2026, affecting essentially all non-ancient versions of the widely deployed DNS/DHCP forwarder. Maintainer Simon Kelley has shipped a 2.92rel2 backport with patches and pushed fixes to the development tree, some as targeted backports and others as more thorough rewrites aimed at root causes. A 2.93rc1 is imminent, with a stable 2.93 release targeted within roughly a week, and Kelley is asking the community to test the release candidate aggressively.

The more striking story is operational. Kelley describes a flood of AI-generated bug reports over the past couple of months — heavy on duplicates and requiring substantial triage to separate genuine issues warranting vendor pre-disclosure from noise. He argues that long embargoes have lost much of their value: if AI-assisted researchers can repeatedly surface these bugs, hostile actors almost certainly can too, while coordinating embargoes and backports across vendors imposes enormous overhead on everyone involved.

As a result, the project is shifting toward fixing issues forward and releasing faster rather than holding patches for coordinated disclosure windows. Kelley expects this disclose-and-ship cycle to repeat, and is explicitly prioritizing release timeliness over comprehensiveness — a notable policy shift from a maintainer of critical infrastructure software, and a useful signal of how AI-assisted vulnerability research is reshaping coordinated disclosure norms.