/
CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, and CVE-2026-4893: dnsmasq Multiple Vulnerabilities in Barracuda CloudGen Access Virtual Appliance

CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, and CVE-2026-4893: dnsmasq Multiple Vulnerabilities in Barracuda CloudGen Access Virtual Appliance

Published: 2026-05-13
Affected Product: Barracuda CloudGen Access Virtual Appliance v1.1.1 and earlier (Ubuntu-based OVA)

Summary

A vulnerable software package called dnsmasq is installed on Barracuda CloudGen Access virtual appliances v1.1.1 and earlier, but it is not actively used by any CGA component. The risk is low.

Five security vulnerabilities have been disclosed in dnsmasq, including two critical remote code execution (RCE) vulnerabilities (CVE-2026-2291 and CVE-2026-4892) and three denial-of-service / security bypass issues (CVE-2026-4890, CVE-2026-4891, CVE-2026-4893).

The Barracuda CloudGen Access virtual appliance includes the dnsmasq-base package (version 2.90) as an indirect dependency of network-manager. However, the dnsmasq service is not running and is not used by any CloudGen Access component. See Required Action below for removal steps.

All Barracuda CloudGen Access virtual appliance deployments v1.1.1 and earlier running on the Ubuntu-based OVA image contain the vulnerable package.

Impact

Although the vulnerable package is installed, the practical risk is low because the dnsmasq service is not active (see Summary). These vulnerabilities would only be exploitable if someone manually started the service, which is not part of normal CGA operations.

Affected Versions

Barracuda CloudGen Access virtual appliance v1.1.1 and earlier (Ubuntu-based OVA).

Required Action

Option 1: Remove Package (Recommended)

Remove the unused dnsmasq-base package immediately. Run the following as root:

# Remove dnsmasq-base package sudo apt-get remove -y dnsmasq-base

This is a zero-downtime operation. No reboot is required.

Option 2: Upgrade to v1.1.2

Download and deploy the image from How to Deploy CloudGen Access on a Virtual Appliance. Deploy v1.1.2 for new installations or when reimaging existing appliances.

Impact of Mitigation

Removing the dnsmasq-base package does not affect:

  • CGA proxy or connector services

  • Network connectivity or DNS resolution

  • SSH, TLS, or VPN functionality used by CGA

  • vxsh CLI operations

  • Any standard operations on the virtual appliance

The only functionality lost is WiFi hotspot / connection sharing, which is not applicable to the server appliance use case.

Verification

After applying remediation:

# Confirm dnsmasq-base is removed dpkg -l | grep dnsmasq # Expected: no output # Confirm no dnsmasq processes running ps aux | grep dnsmasq # Expected: only the grep process itself # Confirm CGA services are operational sudo systemctl status fydeproxy sudo systemctl status envoy sudo systemctl status fyde-connector # Expected: active (running) or configured state # Confirm network connectivity ping -c 4 8.8.8.8 # Expected: successful responses

Security Testing

Do NOT run public proof-of-concept exploits in production environments. Use test or staging environments to validate that remediation was applied correctly.

Contact

For questions regarding this advisory, contact Barracuda Networks Technical Support.

This advisory will be updated as additional information becomes available.

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.