Description
A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
Published: 2026-05-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in dnsmasq’s DNSSEC validation processing allows an attacker to send a specially crafted DNS packet that triggers a crash or causes the resolver process to hang. The impact is a denial of service affecting DNS resolution for clients; the vulnerability does not provide a path to compromise data confidentiality or integrity, but it can disrupt network connectivity. Based on the description, it is inferred that the attacker must have the ability to send packets to the dnsmasq instance over the network.

Affected Systems

dnsmasq is the affected product. No explicit version information has been released, so all dnsmasq releases that enable DNSSEC validation are considered vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is < 1%, indicating a very low but non-zero exploitation probability, and the vulnerability is not listed in CISA KEV, so the public exploitation probability is uncertain. Nevertheless, any dnsmasq server exposed with DNSSEC enabled presents a high availability risk, as remote attackers can flood the resolver with malicious packets to deplete resources or crash the service.

Generated by OpenCVE AI on May 13, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest dnsmasq release that fixes the infinite loop (CWE‑835) vulnerabilities in DNSSEC validation.
  • If a patch is not yet available, enforce strict packet size limits and query rate limits to curb resource exhaustion.
  • Temporarily disable DNSSEC validation on the dnsmasq instance to prevent exploitation of the DNSSEC validation logic until the fix is applied.
  • Continuously monitor dnsmasq logs and system throughput, and consider automated restarts or failover configurations to maintain service availability during remediation.

Generated by OpenCVE AI on May 13, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6264-1 dnsmasq security update
History

Wed, 13 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Wed, 13 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 12 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Mon, 11 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Dnsmasq
Dnsmasq dnsmasq
Vendors & Products Dnsmasq
Dnsmasq dnsmasq
References

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
Title CVE-2026-4890
References

Subscriptions

Dnsmasq Dnsmasq
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-05-11T19:58:36.052Z

Reserved: 2026-03-26T13:05:10.729Z

Link: CVE-2026-4890

cve-icon Vulnrichment

Updated: 2026-05-11T18:27:57.204Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T18:16:41.273

Modified: 2026-05-12T14:15:46.747

Link: CVE-2026-4890

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-09T00:00:00Z

Links: CVE-2026-4890 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T04:30:05Z

Weaknesses