CVE-2026-4891 Overview
CVE-2026-4891 is a heap-based out-of-bounds read vulnerability in the DNSSEC validation logic of dnsmasq. Remote attackers can trigger the flaw by sending a crafted DNS packet to a vulnerable resolver. Successful exploitation causes a denial of service condition or exposure of small amounts of adjacent heap memory. The vulnerability requires no authentication and no user interaction, and it is reachable over the network.
dnsmasq is widely deployed in home routers, embedded Linux systems, and DNS filtering products such as Pi-hole, increasing the exposure footprint of this issue.
Critical Impact
Remote unauthenticated attackers can disrupt DNS resolution on affected dnsmasq instances by sending a single crafted DNS response, affecting any downstream client that depends on the resolver.
Affected Products
- dnsmasq builds with DNSSEC validation enabled
- Pi-hole FTL versions prior to v6.6.2
- NixOS packages tracked in pull requests #519082 and #519093
Discovery Timeline
- 2026-05-11 - CVE-2026-4891 published to the National Vulnerability Database
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-4891
Vulnerability Analysis
The vulnerability resides in the DNSSEC validation path of dnsmasq. When the resolver parses a crafted DNSSEC-signed response, validation code reads beyond the bounds of a heap-allocated buffer. The out-of-bounds read can dereference memory the program does not own, leading to a process crash or limited information disclosure ([CWE-125]).
Because dnsmasq is typically a single long-running process serving all DNS requests on a host or subnet, a crash terminates DNS service for every downstream client. Recovery requires the process to be restarted by an init system or watchdog.
The attack is network-reachable and requires no privileges, which broadens the threat surface to any environment where dnsmasq accepts upstream responses from untrusted networks or processes attacker-influenced queries with DNSSEC validation enabled.
Root Cause
The root cause is missing or insufficient bounds checking inside the DNSSEC record parsing routines. Crafted record lengths or signature fields cause the parser to read past the end of the allocated record buffer. See the DNSMasq CVE Information and the DNSMasq Discussion Thread for upstream technical details.
Attack Vector
An attacker sends a malformed DNSSEC response that the vulnerable dnsmasq instance processes during validation. The response can be delivered through a controlled authoritative nameserver queried by the victim, or through response injection on the path. No authentication or user interaction is required. Refer to the CERT Vulnerability Note #471747 for additional technical context.
Detection Methods for CVE-2026-4891
Indicators of Compromise
- Unexpected restarts or crash logs from the dnsmasq service in journalctl or /var/log/syslog
- Repeated DNSSEC validation failures logged before a service termination
- Spikes in inbound DNS responses from unexpected authoritative servers
Detection Strategies
- Monitor dnsmasq process uptime and alert on unexpected restarts that correlate with inbound DNS traffic
- Inspect DNS responses for malformed DNSSEC records using network sensors or DNS-aware intrusion detection rules
- Correlate crash events with the source IP addresses of preceding DNS queries to identify attack origins
Monitoring Recommendations
- Forward dnsmasq logs to a centralized SIEM and alert on SIGSEGV or abnormal exit codes
- Track DNS query and response latency to identify outages caused by resolver crashes
- Monitor DNSSEC validation error rates as a leading indicator of crafted packet activity
How to Mitigate CVE-2026-4891
Immediate Actions Required
- Upgrade dnsmasq to the patched version referenced in the DNSMasq CVE Information advisory
- Upgrade Pi-hole FTL to v6.6.2 or later
- Apply distribution updates such as the NixOS fixes in pull request #519082 and pull request #519093
- Restrict the resolver to trusted upstream DNS servers and internal clients only
Patch Information
Upstream dnsmasq maintainers have released a fix referenced on the DNSMasq CVE Information page. Pi-hole has shipped the corrected library in FTL v6.6.2. Distribution maintainers should rebuild and redeploy affected packages.
Workarounds
- Disable DNSSEC validation in dnsmasq by removing the dnssec option from the configuration if patching cannot be performed immediately
- Place the resolver behind a firewall that restricts inbound DNS responses to known upstream servers
- Configure a process supervisor to automatically restart dnsmasq after a crash to reduce service outage duration
# Configuration example: disable DNSSEC validation as a temporary workaround
# /etc/dnsmasq.conf
# dnssec
# dnssec-check-unsigned
# Comment out the lines above, then restart the service:
sudo systemctl restart dnsmasq
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
