Skip to main content

dnsmasq CVE-2026-4893

| EUVDEUVD-2026-29155 MEDIUM
2026-05-11 certcc GHSA-4rrv-pmrh-2vc4
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
May 11, 2026 - 19:47 vuln.today
Analysis Generated
May 11, 2026 - 19:47 vuln.today
CVSS changed
May 11, 2026 - 19:22 NVD
5.3 (MEDIUM)
CVE Published
May 11, 2026 - 16:48 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 16:48 nvd
MEDIUM 5.3

DescriptionCVE.org

An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information.

AnalysisAI

Information disclosure in dnsmasq 2.93 allows remote attackers to bypass source IP validation checks by sending crafted DNS packets containing RFC 7871 client subnet (EDNS Client Subnet) information. The vulnerability enables attackers to determine internal network information that should remain hidden behind source address filtering, affecting the confidentiality of network topology and potentially enabling further reconnaissance. CVSS 5.3 reflects the network-accessible nature with low complexity but limited direct impact.

Technical ContextAI

dnsmasq is a lightweight DNS forwarder and DHCP server commonly deployed in routers, NAS devices, and network appliances. The vulnerability stems from improper validation of RFC 7871 EDNS Client Subnet (ECS) extension in DNS queries. ECS allows DNS queries to include the requesting client's subnet information, intended for geolocation-aware responses. dnsmasq's source IP checking mechanism, which validates that DNS responses originate from legitimate sources, fails to properly account for ECS-based spoofing. When RFC 7871 ECS information is included in a crafted packet, the vulnerable code bypasses normal source address validation, allowing an attacker to determine or infer internal network information that the DNS server intended to restrict. CWE information not provided in source data, but this falls under the domain of improper input validation and authentication bypass in network protocol handling.

RemediationAI

Upgrade to dnsmasq version 2.92rel2 or later, which incorporates the RFC 7871 source validation fix confirmed in NixOS PR #519082 and #519093. The upstream fix is documented in the dnsmasq mailing list at https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html and the official CVE page at https://thekelleys.org.uk/dnsmasq/CVE/. If immediate patching is not possible, implement network-level mitigations: restrict DNS query access to trusted subnets via firewall rules on port 53 (UDP/TCP), disable EDNS extensions if operationally feasible (though this may break legitimate functionality for clients using ECS), or deploy dnsmasq behind a filtering DNS proxy that strips or validates ECS headers. These mitigations reduce the attack surface but do not remediate the underlying vulnerability and may impact DNS resolution performance for geolocation-dependent services.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

CVE-2026-4893 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy