Description
A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
Published: 2026-05-11
Score: 5.3 Medium
EPSS: 2.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap‑based out‑of‑bounds read (CWE‑125) in dnsmasq’s DNSSEC validation logic. When the daemon parses a malicious DNSSEC‑signed packet, it incorrectly reads beyond allocated memory, corrupting internal state and ultimately crashing the service. The crash denies all clients from reaching the DNS server, causing a denial of service that propagates across networks reliant on the affected resolver.

Affected Systems

dnsmasq is the affected product. No specific version information is listed, so any deployment running dnsmasq that has DNSSEC validation enabled could be affected. This includes typical home, corporate, or service‑provider DNS resolvers that rely on dnsmasq as their DNS server.

Risk and Exploitability

The CVSS score of 5.3 classifies the flaw as medium severity, but the EPSS score of 2% indicates a low yet non‑zero likelihood of exploitation. The vulnerability is exploitable remotely over the network by sending a malicious DNS packet; no authentication is required. Based on the description, it is inferred that an attacker does not need any credentials to trigger the flaw. While it is not currently listed in CISA’s KEV catalog, defenders should consider its medium impact on availability and the potential for cascading outages across DNS‑dependent services.

Generated by OpenCVE AI on June 24, 2026 at 13:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest dnsmasq update that addresses the heap out‑of‑bounds read flaw (CWE‑125).
  • If a patch is not yet available, temporarily disable DNSSEC validation on trusted DNS servers to eliminate the vulnerable code path.
  • Configure inbound traffic filtering or rate‑limit DNS queries to mitigate potential abuse from crafted packets.

Generated by OpenCVE AI on June 24, 2026 at 13:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4625-1 dnsmasq security update
Debian DSA Debian DSA DSA-6264-1 dnsmasq security update
History

Wed, 13 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 11 May 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Mon, 11 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Dnsmasq
Dnsmasq dnsmasq
Weaknesses CWE-125
Vendors & Products Dnsmasq
Dnsmasq dnsmasq

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
Title CVE-2026-4891
References

Subscriptions

Dnsmasq Dnsmasq
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-05-20T14:08:50.799Z

Reserved: 2026-03-26T13:07:05.406Z

Link: CVE-2026-4891

cve-icon Vulnrichment

Updated: 2026-05-11T18:27:24.527Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T18:16:41.380

Modified: 2026-06-17T10:57:24.237

Link: CVE-2026-4891

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-09T00:00:00Z

Links: CVE-2026-4891 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T14:00:07Z

Weaknesses