CVE-2026-4890
Description
A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote, unauthenticated attacker can cause dnsmasq to enter an infinite loop in DNSSEC validation via a crafted NSEC record, leading to denial of service.
CVE-2026-4890 is a denial of service vulnerability in dnsmasq's DNSSEC validation. The root cause is an infinite loop in the parsing of NSEC bitmap records: the window-iteration step omits the 2-byte window header length, so a crafted NSEC record with bitmap_length == 0 causes the loop to never terminate [1][3].
An attacker can exploit this remotely without authentication by sending a DNS packet containing a malicious NSEC record. The vulnerability is reachable before RRSIG validation, meaning no valid DNSSEC signatures are required to trigger it [3]. Once triggered, the infinite loop consumes CPU resources and stops dnsmasq from answering any further queries, resulting in a denial of service [1].
This vulnerability affects all non-ancient versions of dnsmasq. The fix is included in dnsmasq version 2.92rel2, which was released on May 11, 2026 [2]. Users are advised to upgrade immediately. Downstream distributions have also backported the patch [4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6News mentions
1- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026