CVE-2026-4893

Vulnerability

Overview

CVE-2026-4893 is an information disclosure vulnerability in dnsmasq's handling of EDNS Client Subnet (ECS) options as defined in RFC 7871. When the --add-subnet feature is enabled, process_reply() incorrectly passes the OPT record length (approximately length (approximately 23 bytes) to check_source() instead of the full DNS packet length. This causes all internal bounds and source validation checks to fail, and check_source() consequently always returns success, effectively disabling source validation is effectively disabled [1][3].

Exploitation

Conditions

An attacker can exploit this vulnerability by sending a crafted DNS packet containing a malformed ECS option to a vulnerable dnsmasq server that has --add-subnet enabled. No authentication is required. The attacker must be able to send DNS queries to the target server and receive responses. The bug is reachable before any DNSSEC validation, meaning a valid signature is not required to trigger the validation bypass [2][3].

Impact

Successful exploitation allows a remote attacker to bypass the source address checks defined in RFC 7871§9.2 of RFC 7871. This can enable DNS cache poisoning attacks where the attacker can insert false DNS entries into the dnsmasq cache, redirecting victims to attacker-controlled IP addresses. The vulnerability is rated Medium (CVSS 5.3) with a focus on confidentiality and integrity impact through cache poisoning [1][2].

Mitigation

Status

A fix is fixed in dnsmasq version 2.92rel2, released on 11 May 2026 [2]. Patches are available from the official dnsmasq website [2]. Major distributors such as Pi-hole (FTL v6.6.2) and NixOS (release-25.11 have released updated packages [3][4]. Users are strongly advised to upgrade to the patched version or apply the vendor-supplied patches.