diff --git a/neutron/agent/linux/dhcp.py b/neutron/agent/linux/dhcp.py
index dd8f3175252..8e247adb240 100644
--- a/neutron/agent/linux/dhcp.py
+++ b/neutron/agent/linux/dhcp.py
@@ -1322,10 +1322,11 @@ class Dnsmasq(DhcpLocalProcess):
         elif not option.isdigit():
             option = 'option:%s' % option
         if extra_tag:
-            tags = ('tag:' + tag, extra_tag[:-1], '%s' % option)
+            tags = ['tag:' + tag, extra_tag[:-1], '%s' % option]
         else:
-            tags = ('tag:' + tag, '%s' % option)
-        return ','.join(tags + args)
+            tags = ['tag:' + tag, '%s' % option]
+
+        return ','.join(tags + [v.split("\n", 1)[0] for v in args])
 
     @staticmethod
     def _convert_to_literal_addrs(ip_version, ips):
diff --git a/neutron/tests/unit/agent/linux/test_dhcp.py b/neutron/tests/unit/agent/linux/test_dhcp.py
index aa50ff89732..4a9cfaf5072 100644
--- a/neutron/tests/unit/agent/linux/test_dhcp.py
+++ b/neutron/tests/unit/agent/linux/test_dhcp.py
@@ -230,6 +230,9 @@ class FakeV6PortExtraOpt(object):
         self.extra_dhcp_opts = [
             DhcpOpt(opt_name='dns-server',
                     opt_value='ffea:3ba5:a17a:4ba3::100',
+                    ip_version=constants.IP_VERSION_6),
+            DhcpOpt(opt_name='malicious-option',
+                    opt_value='aaa\nbbb.ccc\n',
                     ip_version=constants.IP_VERSION_6)]
 
 
@@ -2910,7 +2913,9 @@ class TestDnsmasq(TestBase):
         exp_opt_data = ('tag:subnet-eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee,'
                         'option6:domain-search,openstacklocal\n'
                         'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,'
-                        'option6:dns-server,ffea:3ba5:a17a:4ba3::100').lstrip()
+                        'option6:dns-server,ffea:3ba5:a17a:4ba3::100\n'
+                        'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,'
+                        'option6:malicious-option,aaa').lstrip()
         dm = self._get_dnsmasq(FakeV6NetworkStatelessDHCP())
         dm._output_hosts_file()
         dm._output_opts_file()
diff --git a/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml b/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml
new file mode 100644
index 00000000000..d2a8c2f68bb
--- /dev/null
+++ b/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Fix `bug 1939733 <https://bugs.launchpad.net/neutron/+bug/1939733>`_ by
+    dropping from the dhcp extra option values everything what is after first
+    newline (``\n``) character before passing them to the dnsmasq.