Skip to main content
CVE Vulnerability Database

CVE-2026-4891: dnsmasq DNSSEC DoS Vulnerability

CVE-2026-4891 is a heap-based out-of-bounds read flaw in dnsmasq's DNSSEC validation that enables remote attackers to trigger denial of service. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-4891 Overview

CVE-2026-4891 is a heap-based out-of-bounds read vulnerability in the DNSSEC validation logic of dnsmasq. Remote attackers can trigger the flaw by sending a crafted DNS packet to a vulnerable resolver. Successful exploitation causes a denial of service condition or exposure of small amounts of adjacent heap memory. The vulnerability requires no authentication and no user interaction, and it is reachable over the network.

dnsmasq is widely deployed in home routers, embedded Linux systems, and DNS filtering products such as Pi-hole, increasing the exposure footprint of this issue.

Critical Impact

Remote unauthenticated attackers can disrupt DNS resolution on affected dnsmasq instances by sending a single crafted DNS response, affecting any downstream client that depends on the resolver.

Affected Products

  • dnsmasq builds with DNSSEC validation enabled
  • Pi-hole FTL versions prior to v6.6.2
  • NixOS packages tracked in pull requests #519082 and #519093

Discovery Timeline

  • 2026-05-11 - CVE-2026-4891 published to the National Vulnerability Database
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-4891

Vulnerability Analysis

The vulnerability resides in the DNSSEC validation path of dnsmasq. When the resolver parses a crafted DNSSEC-signed response, validation code reads beyond the bounds of a heap-allocated buffer. The out-of-bounds read can dereference memory the program does not own, leading to a process crash or limited information disclosure ([CWE-125]).

Because dnsmasq is typically a single long-running process serving all DNS requests on a host or subnet, a crash terminates DNS service for every downstream client. Recovery requires the process to be restarted by an init system or watchdog.

The attack is network-reachable and requires no privileges, which broadens the threat surface to any environment where dnsmasq accepts upstream responses from untrusted networks or processes attacker-influenced queries with DNSSEC validation enabled.

Root Cause

The root cause is missing or insufficient bounds checking inside the DNSSEC record parsing routines. Crafted record lengths or signature fields cause the parser to read past the end of the allocated record buffer. See the DNSMasq CVE Information and the DNSMasq Discussion Thread for upstream technical details.

Attack Vector

An attacker sends a malformed DNSSEC response that the vulnerable dnsmasq instance processes during validation. The response can be delivered through a controlled authoritative nameserver queried by the victim, or through response injection on the path. No authentication or user interaction is required. Refer to the CERT Vulnerability Note #471747 for additional technical context.

Detection Methods for CVE-2026-4891

Indicators of Compromise

  • Unexpected restarts or crash logs from the dnsmasq service in journalctl or /var/log/syslog
  • Repeated DNSSEC validation failures logged before a service termination
  • Spikes in inbound DNS responses from unexpected authoritative servers

Detection Strategies

  • Monitor dnsmasq process uptime and alert on unexpected restarts that correlate with inbound DNS traffic
  • Inspect DNS responses for malformed DNSSEC records using network sensors or DNS-aware intrusion detection rules
  • Correlate crash events with the source IP addresses of preceding DNS queries to identify attack origins

Monitoring Recommendations

  • Forward dnsmasq logs to a centralized SIEM and alert on SIGSEGV or abnormal exit codes
  • Track DNS query and response latency to identify outages caused by resolver crashes
  • Monitor DNSSEC validation error rates as a leading indicator of crafted packet activity

How to Mitigate CVE-2026-4891

Immediate Actions Required

Patch Information

Upstream dnsmasq maintainers have released a fix referenced on the DNSMasq CVE Information page. Pi-hole has shipped the corrected library in FTL v6.6.2. Distribution maintainers should rebuild and redeploy affected packages.

Workarounds

  • Disable DNSSEC validation in dnsmasq by removing the dnssec option from the configuration if patching cannot be performed immediately
  • Place the resolver behind a firewall that restricts inbound DNS responses to known upstream servers
  • Configure a process supervisor to automatically restart dnsmasq after a crash to reduce service outage duration
bash
# Configuration example: disable DNSSEC validation as a temporary workaround
# /etc/dnsmasq.conf
# dnssec
# dnssec-check-unsigned
# Comment out the lines above, then restart the service:
sudo systemctl restart dnsmasq

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.