CVE-2026-4890

dnsmasq · dnsmasq

A Denial of Service (DoS) vulnerability in the dnsmasq DNSSEC validation component allows remote attackers to crash the service via a crafted DNS packet.

Executive summary

A critical Denial of Service vulnerability in dnsmasq allows remote attackers to disrupt DNS resolution through crafted packets.

Vulnerability

The vulnerability is a CWE-835 Infinite Loop flaw triggered during DNSSEC validation. This allows an unauthenticated remote attacker to cause resource exhaustion and service termination.

Business impact

Successful exploitation results in a Denial of Service, rendering DNS resolution unavailable for all clients relying on the affected dnsmasq instance. Given that DNS is a foundational network service, this impact can lead to widespread system downtime and business disruption, justifying the high severity score.

Remediation

Immediate Action: Update dnsmasq to version 2.92rel2 or later across all environments immediately.

Proactive Monitoring: Monitor system logs for repeated dnsmasq crashes or unusual CPU spikes associated with the dnsmasq process.

Compensating Controls: Implement rate limiting on incoming DNS traffic and utilize upstream DNS providers that can filter malformed packets before they reach the local resolver.

Exploitation status

Public Exploit Available: No — there is no confirmed public weaponized exploit available.

Analyst recommendation

DNS infrastructure is a critical point of failure; therefore, this update should be treated with high urgency. Organizations should verify their current dnsmasq versions and apply the 2.92rel2 patch immediately to maintain network availability and resilience.