CVE-2026-4890
dnsmasq · dnsmasq
A Denial of Service (DoS) vulnerability in the dnsmasq DNSSEC validation component allows remote attackers to crash the service via a crafted DNS packet.
Executive summary
A critical Denial of Service vulnerability in dnsmasq allows remote attackers to disrupt DNS resolution through crafted packets.
Vulnerability
The vulnerability is a CWE-835 Infinite Loop flaw triggered during DNSSEC validation. This allows an unauthenticated remote attacker to cause resource exhaustion and service termination.
Business impact
Successful exploitation results in a Denial of Service, rendering DNS resolution unavailable for all clients relying on the affected dnsmasq instance. Given that DNS is a foundational network service, this impact can lead to widespread system downtime and business disruption, justifying the high severity score.
Remediation
Immediate Action: Update dnsmasq to version 2.92rel2 or later across all environments immediately.
Proactive Monitoring: Monitor system logs for repeated dnsmasq crashes or unusual CPU spikes associated with the dnsmasq process.
Compensating Controls: Implement rate limiting on incoming DNS traffic and utilize upstream DNS providers that can filter malformed packets before they reach the local resolver.
Exploitation status
Public Exploit Available: No — there is no confirmed public weaponized exploit available.
Analyst recommendation
DNS infrastructure is a critical point of failure; therefore, this update should be treated with high urgency. Organizations should verify their current dnsmasq versions and apply the 2.92rel2 patch immediately to maintain network availability and resilience.