Download Latest Version
Pi-hole FTL v6.6.2 source code.tar.gz (4.9 MB)
Get an email when there's a new version of FTLDNS
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| pihole-FTL-riscv64 | 2026-05-11 | 31.6 MB | |
| pihole-FTL-riscv64.sha1 | 2026-05-11 | 61 Bytes | |
| pihole-FTL-386 | 2026-05-11 | 26.0 MB | |
| pihole-FTL-386.sha1 | 2026-05-11 | 57 Bytes | |
| api-docs.tar.gz | 2026-05-11 | 350.2 kB | |
| pihole-FTL-amd64 | 2026-05-11 | 28.1 MB | |
| pihole-FTL-amd64.sha1 | 2026-05-11 | 59 Bytes | |
| pihole-FTL-armv7 | 2026-05-11 | 25.6 MB | |
| pihole-FTL-armv7.sha1 | 2026-05-11 | 59 Bytes | |
| pihole.toml | 2026-05-11 | 69.2 kB | |
| pihole-FTL-armv6 | 2026-05-11 | 27.5 MB | |
| pihole-FTL-armv6.sha1 | 2026-05-11 | 59 Bytes | |
| pihole-FTL-arm64 | 2026-05-11 | 28.4 MB | |
| pihole-FTL-arm64.sha1 | 2026-05-11 | 59 Bytes | |
| pihole-FTL-amd64-clang | 2026-05-11 | 17.4 MB | |
| pihole-FTL-amd64-clang.sha1 | 2026-05-11 | 65 Bytes | |
| Pi-hole FTL v6.6.2 source code.tar.gz | 2026-05-11 | 4.9 MB | |
| Pi-hole FTL v6.6.2 source code.zip | 2026-05-11 | 5.2 MB | |
| README.md | 2026-05-11 | 2.6 kB | |
| Totals: 19 Items | 195.0 MB | 0 | |
dnsmasq security update
This release imports six upstream dnsmasq security fixes, covering all publicly disclosed CVEs against the dnsmasq 2.92/2.93 line. Patches are taken verbatim from https://thekelleys.org.uk/dnsmasq/CVE/
CVEs fixed
-
CVE-2026-2291 — Heap OOB write in
struct bigname. The on-heap namebuffer was sized for the wire form of a domain name (MAXDNAME) rather than its escaped internal form (MAXDNAME*2 + 1). A remote peer that can send or answer DNS queries could cause a large out-of-bounds write on the heap. Reported by Andrew S. Fasano. -
CVE-2026-4890 — DNSSEC denial of service via NSEC bitmap parsing.The window-iteration step omitted the 2-byte window header, so a crafted NSEC record with
bitmap_length == 0produced an infinite loop and dnsmasq stopped answering queries. Reachable before RRSIG validation,so no valid signatures are required to trigger it. Reported by Royce M. -
CVE-2026-4891 — DNSSEC crash via crafted RRSIG. A packet declaring an
rdlensmaller than the fixed RRSIG header plus signer's name produced a negative signature length and a subsequent crash. Reported by Royce M. -
CVE-2026-4892 — Privileged buffer overflow in the DHCP helper.When
--dhcp-scriptis configured, hex-encoded DHCPv6 client identifiers (up to 65535 bytes) were written into a 5131-byte buffer in the root-privileged helper. Reported by Royce M. -
CVE-2026-4893 — EDNS Client Subnet validation bypass. With
--add-subnetenabled,process_reply()passed the OPT record length(~23 bytes) tocheck_source()instead of the packet length, causing every internal bounds check to fail and the validation routine to always return success. ECS source validation per RFC 7871 §9.2 was effectively disabled. Reported by Royce M. -
CVE-2026-5172 — Heap OOB read in
extract_addresses(). A mismatched RRrdlenallowedextract_name()to advance past the computed end of the record, underflowing the remaining-bytes calculation and producing a large OOB read with certain crash.Reported by Hugo Martinez Ray.
Upgrade impact
All six fixes are minimal, self-contained changes to the embedded dnsmasq sources. No FTL-side configuration or API changes; users should see no observable behavior change beyond the closed vulnerabilities.
Fix dnsmasq CVE publications by @DL6ER in https://github.com/pi-hole/FTL/pull/2888
This furthermore indirectly fixes [#2871] due to https://github.com/pi-hole/docker-base-images/pull/158
Full Changelog: https://github.com/pi-hole/FTL/compare/v6.6.1...v6.6.2
