Description
A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
Published: 2026-05-11
Score: 7.5 High
EPSS: 7.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in dnsmasq’s DNSSEC validation logic—an uncontrolled resource consumption weakness identified as CWE-835—allows a remote attacker to send a specially crafted DNS packet that triggers the resolver to become unresponsive or crash. The result is a denial of service that impacts DNS resolution for clients connected to the affected server, without any known data confidentiality or integrity compromise. Based solely on the description, the attack requires the attacker to deliver packets to the dnsmasq instance over the network.

Affected Systems

The vulnerability affects dnsmasq installations that have DNSSEC validation enabled. No specific product versions are listed in the vendor data, so all releases that support DNSSEC validation are presumed vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and an EPSS score of 6.66% shows a moderate likelihood of exploitation in the wild. The vulnerability is not listed in CISA KEV, so public exploitation is uncertain but the impact on availability is significant for exposed servers.

Generated by OpenCVE AI on June 30, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update dnsmasq to the most recent stable release available from the vendor. If a patch addressing the DNSSEC validation flaw is released, apply it promptly.
  • If a patch cannot be applied immediately, disable DNSSEC validation on the dnsmasq instance to eliminate the infinite‑loop condition and stop the denial‑of‑service vector.
  • Apply network‑based rate limiting or packet size restrictions to reduce the risk of resource exhaustion from malformed DNS packets.
  • Monitor dnsmasq logs for traffic anomalies and activate fail‑over mechanisms to preserve DNS availability.

Generated by OpenCVE AI on June 30, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4625-1 dnsmasq security update
Debian DSA Debian DSA DSA-6264-1 dnsmasq security update
History

Wed, 13 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Wed, 13 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
References
Metrics threat_severity

None

threat_severity

Important


Tue, 12 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Mon, 11 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Dnsmasq
Dnsmasq dnsmasq
Vendors & Products Dnsmasq
Dnsmasq dnsmasq
References

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 11 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Mon, 11 May 2026 18:45:00 +0000


Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
Title CVE-2026-4890
References

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-07-02T12:05:01.958Z

Reserved: 2026-03-26T13:05:10.729Z

Link: CVE-2026-4890

cve-icon Vulnrichment

Updated: 2026-07-02T12:05:01.958Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T18:16:41.273

Modified: 2026-06-17T10:57:24.097

Link: CVE-2026-4890

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-09T00:00:00Z

Links: CVE-2026-4890 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:30:16Z

Weaknesses
  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')