Description
A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
Published: 2026-05-11
Score: 5.3 Medium
EPSS: 6.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap‑based out‑of‑bounds read (CWE‑125) in dnsmasq’s DNSSEC validation logic. When the daemon receives a malicious DNSSEC‑signed packet, it reads past the end of an allocated buffer, corrupting internal state and causing the process to crash. The crash terminates dnsmasq, denying all local and remote clients the ability to resolve DNS queries, which results in a denial of service.

Affected Systems

dnsmasq is the affected product. No specific version is listed, so any installation that has DNSSEC validation enabled could be affected. This includes residential, enterprise, and service‑provider DNS resolvers that rely on dnsmasq as their DNS server.

Risk and Exploitability

The CVSS score of 5.3 classifies the flaw as medium severity, and the EPSS score of 6% indicates a low but non‑zero chance of exploitation. The vulnerability is exploitable remotely over the network by sending a malformed DNS packet; no authentication is required. The flaw is not currently listed in CISA’s KEV catalog, but defenders should monitor for outages that might be caused by these packet‑processing crashes.

Generated by OpenCVE AI on June 30, 2026 at 16:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update dnsmasq to the latest release that contains the DNSSEC validation fix
  • If an immediate update is not possible, temporarily disable DNSSEC validation in dnsmasq configuration
  • Configure firewall or monitoring to detect anomalous DNS queries that may indicate exploitation attempts

Generated by OpenCVE AI on June 30, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4625-1 dnsmasq security update
Debian DSA Debian DSA DSA-6264-1 dnsmasq security update
History

Wed, 13 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Mon, 11 May 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Mon, 11 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 11 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Dnsmasq
Dnsmasq dnsmasq
Weaknesses CWE-125
Vendors & Products Dnsmasq
Dnsmasq dnsmasq

Mon, 11 May 2026 18:45:00 +0000


Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
Title CVE-2026-4891
References

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-07-15T00:47:55.334Z

Reserved: 2026-03-26T13:07:05.406Z

Link: CVE-2026-4891

cve-icon Vulnrichment

Updated: 2026-07-03T12:05:11.867Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T18:16:41.380

Modified: 2026-06-17T10:57:24.237

Link: CVE-2026-4891

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-09T00:00:00Z

Links: CVE-2026-4891 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:15:06Z

Weaknesses