CVE-2026-4891

Vulnerability

A heap-based out-of-bounds read vulnerability exists in the DNSSEC validation code of dnsmasq versions prior to 2.92rel2. The flaw is triggered when a DNS packet declares an rdlen smaller than the fixed RRSIG header plus the signer's name, causing a negative signature length and a subsequent out-of-bounds read [3].

Exploitation

An unauthenticated remote attacker can exploit this issue by sending a specially crafted DNS packet with a malformed RRSIG resource record. No prior authentication or local network access is required; the attacker only needs to be able to send DNS queries to the vulnerable dnsmasq instance [1][3]. The bug is reachable before RRSIG validation, so no valid DNSSEC signatures are necessary to trigger the condition [3].

Impact

A successful exploit leads to a denial of service (DoS) — crash) of the dnsmasq process, interrupting DNS forwarding and DHCP services for all clients relying on that instance [1][3]. According to advisory information, the crash is reliably reproducible, making the vulnerability a practical vector for disrupting DNS services [3].

Mitigation

The dnsmasq project has released version 2.92rel2 which patches this and five other critical security issues [1][2][4]. Upstream distributions and downstream projects such as Pi-hole have already incorporated the fix within their packages [3]. Users are strongly advised to update to the patched version immediately.