Description
A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
Published: 2026-05-11
Score: 7.5 High
EPSS: 3.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in dnsmasq’s DNSSEC validation logic allows a remote attacker to send a specially crafted DNS packet that triggers the resolver to become unresponsive or crash. The result is a denial of service that impacts DNS resolution for clients connected to the affected server, without any known data confidentiality or integrity compromise. Based solely on the description, the attack requires the attacker to deliver packets to the dnsmasq instance over the network.

Affected Systems

The vulnerability affects dnsmasq installations that have DNSSEC validation enabled. No specific product versions are listed in the vendor data, so all releases that support DNSSEC validation are presumed vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and an EPSS score of 3% shows a moderate likelihood of exploitation in the wild. The vulnerability is not listed in CISA KEV, so public exploitation is uncertain but the impact on availability is significant for exposed servers.

Generated by OpenCVE AI on June 24, 2026 at 02:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update dnsmasq to the latest release that contains the DNSSEC validation fix referenced in the NixOS pull requests and pi‑hole release v6.6.2
  • If a patched version is not immediately available, restrict the rate and size of incoming DNS queries using firewall or server‑side limits to reduce the chance of resource exhaustion
  • As a temporary measure, disable DNSSEC validation on the dnsmasq instance until the official patch is applied
  • Continuously monitor network traffic and dnsmasq logs for anomalous DNS packets, and configure automated restarts or failover mechanisms to maintain service availability

Generated by OpenCVE AI on June 24, 2026 at 02:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4625-1 dnsmasq security update
Debian DSA Debian DSA DSA-6264-1 dnsmasq security update
History

Wed, 13 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Wed, 13 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 12 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Mon, 11 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Dnsmasq
Dnsmasq dnsmasq
Vendors & Products Dnsmasq
Dnsmasq dnsmasq
References

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
Title CVE-2026-4890
References

Subscriptions

Dnsmasq Dnsmasq
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-05-20T14:08:25.686Z

Reserved: 2026-03-26T13:05:10.729Z

Link: CVE-2026-4890

cve-icon Vulnrichment

Updated: 2026-05-11T18:27:57.204Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T18:16:41.273

Modified: 2026-06-17T10:57:24.097

Link: CVE-2026-4890

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-09T00:00:00Z

Links: CVE-2026-4890 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T02:15:10Z

Weaknesses
  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')