Plataforma
linux
Componente
pi-hole
Corrigido em
6.0.1
CVE-2026-35517 represents a Remote Code Execution (RCE) vulnerability discovered in Pi-hole's FTL engine. This flaw allows an authenticated attacker to inject malicious dnsmasq configuration directives, ultimately enabling command execution on the underlying system. The vulnerability impacts Pi-hole versions 6.0.0 and later, up to, but not including, version 6.6. A fix has been released in Pi-hole 6.6.0.
The impact of this vulnerability is significant. Successful exploitation allows an attacker, possessing authentication credentials, to execute arbitrary commands on the Pi-hole server. This could lead to complete system compromise, including data exfiltration, malware installation, and denial of service. The attacker could potentially modify DNS records, redirect traffic, or pivot to other systems on the network. Given Pi-hole's role as a DNS server, a successful attack could have a wide-ranging impact on all devices relying on it for DNS resolution. The ability to inject arbitrary configuration directives mirrors the severity of vulnerabilities that allow arbitrary code execution through configuration files, potentially granting a foothold for persistent access.
CVE-2026-35517 was publicly disclosed on April 7, 2026. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are not yet widely available, but the nature of the vulnerability suggests a moderate probability of exploitation given its RCE nature and relatively straightforward exploitation path. The vulnerability's reliance on authentication limits the immediate attack surface, but compromised credentials could significantly expand the potential for exploitation.
Organizations and individuals using Pi-hole as their DNS server, particularly those running versions 6.0.0 through 6.5.99, are at risk. Shared hosting environments where multiple users share a single Pi-hole instance are especially vulnerable, as a compromised user account could potentially be leveraged to exploit the vulnerability.
• linux / server:
journalctl -u pihole-FTL -g "dnsmasq configuration"• linux / server:
ps aux | grep -i dnsmasq | grep -i "newline"• linux / server:
find /etc/pihole/dnsmasq.d/ -type f -print0 | xargs -0 grep -i "^\s*server=".*disclosure
Status do Exploit
EPSS
0.23% (percentil 45%)
CISA SSVC
Vetor CVSS
The primary mitigation is to upgrade Pi-hole to version 6.6.0 or later, which contains the fix for this vulnerability. If an immediate upgrade is not possible due to compatibility issues or testing requirements, consider temporarily restricting access to the Pi-hole web interface to trusted users only. Review and audit the dns.upstreams configuration parameter for any suspicious entries. While a WAF cannot directly prevent this injection, it can be configured to monitor for unusual dnsmasq configuration directives in requests. After upgrading, confirm the fix by verifying that the dns.upstreams parameter no longer accepts newline characters and that no unauthorized commands can be executed.
Actualice Pi-hole a la versión 6.6 o posterior para mitigar la vulnerabilidad de ejecución remota de código. La actualización corrige la inyección de nuevas líneas en la configuración de servidores DNS ascendentes, previniendo la ejecución de comandos arbitrarios en el sistema.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-35517 is a Remote Code Execution vulnerability in Pi-hole versions 6.0.0 through 6.5.99, allowing authenticated attackers to execute commands on the server.
You are affected if you are running Pi-hole versions 6.0.0 through 6.5.99. Upgrade to 6.6.0 or later to resolve the issue.
Upgrade Pi-hole to version 6.6.0 or later. Consider restricting access to the web interface as a temporary measure.
While no active exploitation has been publicly confirmed, the vulnerability's RCE nature suggests a potential for exploitation.
Refer to the official Pi-hole security advisory on their website for detailed information and updates: [https://pi-hole.net/security/](https://pi-hole.net/security/)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.