CVE-2026-4893 Overview
CVE-2026-4893 is an information disclosure vulnerability in dnsmasq, the lightweight DNS, DHCP, and TFTP forwarder widely deployed in routers, embedded devices, and Linux distributions. The flaw allows remote attackers to bypass source address checks by sending a crafted DNS packet that includes RFC 7871 EDNS Client Subnet (ECS) information. By spoofing or manipulating the ECS option, an attacker can elicit responses or information from a dnsmasq instance that would otherwise restrict queries based on source. The vulnerability affects DNS resolution integrity and can leak cached or internal name resolution data to unauthorized parties.
Critical Impact
Remote, unauthenticated attackers can bypass source-based access controls in dnsmasq to extract DNS information through crafted EDNS Client Subnet packets.
Affected Products
- dnsmasq (upstream releases prior to the fix referenced on the dnsmasq-discuss mailing list)
- Pi-hole FTL versions prior to v6.6.2
- NixOS packages tracking vulnerable dnsmasq builds
Discovery Timeline
- 2026-05-11 - CVE-2026-4893 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-4893
Vulnerability Analysis
The vulnerability resides in how dnsmasq validates the source of incoming DNS queries when those queries carry RFC 7871 EDNS Client Subnet (ECS) data. RFC 7871 defines an EDNS0 option that allows a recursive resolver to forward a portion of the client's IP subnet to authoritative servers for geo-aware responses. dnsmasq consumes this ECS information during query processing.
When a crafted DNS packet supplies ECS data, dnsmasq applies its source validation logic against the ECS-derived address rather than the true packet source. This trust mismatch allows an external attacker to impersonate a permitted client subnet. The attacker can then receive responses or cache state that should have been restricted to internal or trusted networks, resulting in information disclosure.
The issue is classified as an information disclosure flaw with no impact on integrity or availability. Exploitation requires no authentication and no user interaction, and the attack is delivered over the network.
Root Cause
The root cause is improper source validation in the DNS packet handler. The code path that enforces source-based access decisions consults the ECS option supplied by the remote sender. Because ECS data is attacker-controlled, the check can be bypassed by inserting a subnet that matches an allowed range.
Attack Vector
The attack vector is network based. An attacker sends a DNS query to an exposed dnsmasq listener and embeds an EDNS0 ECS option containing a subnet that satisfies the resolver's source policy. The query is processed as if it originated from within that subnet, returning DNS response data that should not be exposed to external clients. See the dnsmasq-discuss mailing list post and the CERT Vulnerability Report #471747 for protocol-level analysis.
Detection Methods for CVE-2026-4893
Indicators of Compromise
- DNS queries arriving on external interfaces of dnsmasq that carry an EDNS0 Client Subnet option referencing internal RFC 1918 ranges.
- Unexpected DNS responses sent to non-local source addresses for names that should only resolve for internal clients.
- Spikes in EDNS0-bearing UDP/53 traffic from a small number of external source IPs.
Detection Strategies
- Inspect DNS traffic with packet capture or a DNS-aware network sensor for OPT pseudo-records containing ECS data on untrusted interfaces.
- Correlate dnsmasq query logs (log-queries enabled) with firewall flow records to identify queries answered for source addresses outside the allowed subnet.
- Compare ECS subnet values against the packet's true source IP and alert on mismatches.
Monitoring Recommendations
- Forward dnsmasq logs to a centralized analytics platform and baseline normal ECS usage patterns.
- Monitor for sustained external queries against DNS resolvers that are intended to serve internal clients only.
- Track package versions of dnsmasq and Pi-hole FTL across the fleet to confirm patch deployment.
How to Mitigate CVE-2026-4893
Immediate Actions Required
- Upgrade dnsmasq to the fixed release noted on the dnsmasq CVE page.
- Upgrade Pi-hole FTL to v6.6.2 or later.
- Restrict the dnsmasq listener to trusted interfaces using interface= or listen-address= directives, and block UDP/TCP port 53 from untrusted networks at the perimeter firewall.
Patch Information
Vendor patches are tracked on the dnsmasq project CVE page and in the upstream dnsmasq-discuss announcement. Pi-hole shipped the corresponding fix in FTL v6.6.2. NixOS package updates are tracked in PR #519082 and PR #519093.
Workarounds
- Disable EDNS Client Subnet processing in dnsmasq configuration if the feature is not required for upstream geo-aware resolution.
- Bind dnsmasq to internal interfaces only and reject queries from external sources at the network edge.
- Use access control directives such as local-service to limit responses to clients on directly attached subnets until the patch is applied.
# Configuration example: restrict dnsmasq to internal interface and local clients
listen-address=192.168.1.1
bind-interfaces
local-service
# Optional: disable ECS handling on upstream queries
add-subnet=0.0.0.0/0,::/0 # remove or comment out if not required
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
