CVE-2026-4890 Overview
CVE-2026-4890 is a denial of service vulnerability in the DNSSEC validation logic of dnsmasq. Remote attackers can trigger the condition by sending a crafted DNS packet to a vulnerable resolver. The flaw affects availability without compromising confidentiality or integrity of resolver data. Because dnsmasq is embedded in routers, container platforms, and DNS filtering products such as Pi-hole, the impact scope is broad. Successful exploitation can disrupt name resolution for every client served by the affected resolver, cascading into outages for dependent services.
Critical Impact
A single crafted DNS packet can knock a dnsmasq resolver offline, breaking name resolution for all downstream clients relying on it.
Affected Products
- dnsmasq with DNSSEC validation enabled
- Pi-hole FTL versions prior to v6.6.2
- NixOS packages addressed in pull requests #519082 and #519093
Discovery Timeline
- 2026-05-11 - CVE-2026-4890 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-4890
Vulnerability Analysis
The vulnerability resides in the DNSSEC validation path of dnsmasq. DNSSEC validation parses cryptographic records (RRSIG, DNSKEY, DS, NSEC, NSEC3) returned by upstream authoritative servers. A malformed or specifically structured DNS response causes the validator to enter an error state that terminates or stalls the resolver process. Because validation runs in the main resolver loop, the failure propagates to every client query in flight.
The affected code path is reachable whenever DNSSEC validation is enabled, which is the default in several downstream distributions and appliances. No authentication, user interaction, or local access is required. The attacker only needs the ability to send DNS responses that the resolver will process, which can occur during normal recursion against attacker-controlled domains.
Root Cause
The root cause is improper handling of crafted DNSSEC response data inside the validation routines of dnsmasq. The validator does not safely reject every malformed combination of signature and key records, leading to an unrecoverable condition. The dnsmasq maintainer mailing list and the Kelleys CVE database describe the corrected validation logic and the records that trigger the failure.
Attack Vector
An attacker induces a target resolver to query an attacker-controlled zone. The authoritative server returns a crafted DNSSEC response. When dnsmasq performs validation on the response, the process becomes unresponsive or terminates. The attack vector is the network, the complexity is low, and no privileges are needed. The vulnerability is described in the dnsmasq-discuss mailing list thread and CERT Vulnerability Note VU#471747.
No public proof-of-concept exploit code has been verified. See the Kelleys CVE database for technical details.
Detection Methods for CVE-2026-4890
Indicators of Compromise
- Unexpected termination or restart of the dnsmasq process in system logs
- Sudden spike in DNS query failures or SERVFAIL responses on the resolver
- Loss of DNS resolution for clients downstream of a dnsmasq instance
- Inbound DNS responses containing unusual or malformed DNSSEC records (RRSIG, DNSKEY, NSEC3)
Detection Strategies
- Monitor dnsmasq process uptime and watch for repeated crash-restart cycles via systemd or supervisor logs
- Alert on DNS query failure rate exceeding a baseline threshold per resolver
- Inspect upstream DNS responses with packet capture for anomalous DNSSEC record structures
- Correlate resolver outages with recent queries to newly observed or low-reputation domains
Monitoring Recommendations
- Centralize dnsmasq logs into a SIEM or log platform with alerting on process crashes
- Track DNS resolution latency and error counters on every appliance running dnsmasq
- Capture and retain authoritative response traffic for forensic review after suspected outages
How to Mitigate CVE-2026-4890
Immediate Actions Required
- Update dnsmasq to the patched version published by the upstream maintainer at thekelleys.org.uk
- Update Pi-hole FTL to version v6.6.2 or later
- Apply distribution updates including the NixOS fixes in PR #519082 and PR #519093
- Restart resolver services after patching to load the corrected validation logic
Patch Information
The upstream dnsmasq project has released a fixed version referenced in the Kelleys CVE database and the dnsmasq-discuss mailing list. Downstream maintainers, including Pi-hole FTL v6.6.2 and NixOS, have shipped corresponding package updates. Coordinated guidance is also published in CERT VU#471747.
Workarounds
- Disable DNSSEC validation in dnsmasq configuration until patching is complete, accepting the loss of DNSSEC protection
- Restrict the resolver to trusted upstream servers that perform validation themselves
- Use process supervision such as systemd with Restart=always to recover quickly from crashes while patching is in progress
# Configuration example - disable DNSSEC validation as a temporary workaround in /etc/dnsmasq.conf
# Comment out or remove the following lines until the patched version is deployed:
# dnssec
# trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
# dnssec-check-unsigned
# Then reload the service:
sudo systemctl restart dnsmasq
sudo systemctl status dnsmasq
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
