Skip to main content

dnsmasq EUVDEUVD-2026-29152

| CVE-2026-4890 HIGH
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-05-11 certcc GHSA-32px-jfgq-53xf
7.5
CVSS 3.1 · Vendor: certcc
Share

Severity by source

Vendor (certcc) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (certcc).

CVSS VectorVendor: certcc

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
May 11, 2026 - 19:45 vuln.today
Analysis Generated
May 11, 2026 - 19:45 vuln.today
CVSS changed
May 11, 2026 - 19:22 NVD
7.5 (HIGH)
CVE Published
May 11, 2026 - 16:47 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 16:47 nvd
HIGH 7.5

DescriptionCVE.org

A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.

AnalysisAI

Remote unauthenticated attackers can crash dnsmasq DNS servers via crafted packets exploiting DNSSEC validation logic. The vulnerability affects dnsmasq 2.93 with CVSS 7.5 (high severity). Upstream fix is available in version 2.92rel2 per NixOS packaging commits, though official vendor release status requires confirmation. No public exploit identified at time of analysis, with CERT/CC tracking (VU#471747) suggesting coordinated disclosure.

Technical ContextAI

dnsmasq is a lightweight DNS forwarder and DHCP server widely deployed in embedded devices, routers, and Linux distributions. This vulnerability targets the DNSSEC (DNS Security Extensions) validation component, which cryptographically verifies DNS responses to prevent cache poisoning. The affected CPE (cpe:2.3:a:dnsmasq:dnsmasq) encompasses all dnsmasq deployments with DNSSEC validation enabled. EUVD data specifically identifies version 2.93 as affected. Without a CWE classification, the root cause class is unclear, but DoS in DNSSEC validators often stems from resource exhaustion parsing malformed DNSSEC records (signatures, keys, delegation chains) or algorithmic complexity attacks. The CVSS vector (AV:N/AC:L) indicates network-reachable exploitation with low complexity, meaning standard DNS query mechanisms suffice.

RemediationAI

Upgrade to dnsmasq version 2.92rel2 or later, as evidenced by upstream fixes in NixOS packaging commits (https://github.com/NixOS/nixpkgs/pull/519082 and https://github.com/NixOS/nixpkgs/pull/519093). Consult the official vendor CVE page (https://thekelleys.org.uk/dnsmasq/CVE/) and mailing list announcement (https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html) for authoritative patch guidance, as version numbering discrepancy (2.93 listed as vulnerable while patches target 2.92rel2) requires vendor clarification. If immediate patching is not feasible, disable DNSSEC validation by removing 'dnssec' and 'trust-anchor' directives from dnsmasq.conf as a temporary workaround - this eliminates attack surface but removes DNSSEC protection against cache poisoning, creating a different security trade-off unsuitable for security-sensitive environments. For internet-facing resolvers, consider switching to alternative DNSSEC-capable resolvers (BIND, Unbound) until patching is complete. Network-level mitigation via rate-limiting DNS queries from untrusted sources may reduce DoS impact but does not prevent exploitation.

CVE-2017-14492 CRITICAL POC
9.8 Oct 03

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execut

CVE-2017-14491 CRITICAL POC
9.8 Oct 04

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execut

CVE-2017-13704 HIGH
7.5 Oct 03

In dnsmasq before 2.78, if the DNS packet size does not match the expected size, the size parameter in a memset call get

CVE-2017-14495 HIGH POC
7.5 Oct 03

Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote

CVE-2017-14496 HIGH POC
7.5 Oct 03

Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-su

CVE-2017-14493 CRITICAL POC
9.8 Oct 03

Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execu

CVE-2017-14494 MEDIUM POC
5.9 Oct 03

dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vect

CVE-2019-14513 HIGH POC
7.5 Aug 01

Improper bounds checking in Dnsmasq before 2.76 allows an attacker controlled DNS server to send large DNS packets that

CVE-2015-3294 MEDIUM POC
6.4 May 08

The tcp_request function in Dnsmasq before 2.73rc4 does not properly handle the return value of the setup_reply function

CVE-2013-0198 MEDIUM POC
5.0 Mar 05

Dnsmasq before 2.66test2, when used with certain libvirt configurations, replies to queries from prohibited interfaces,

CVE-2026-4892 HIGH
8.4 May 11

Heap-based buffer overflow in dnsmasq's DHCPv6 implementation enables local attackers to execute arbitrary code with roo

CVE-2021-3448 MEDIUM POC
4.0 Apr 08

A flaw was found in dnsmasq in versions before 2.85. Rated medium severity (CVSS 4.0), this vulnerability is remotely ex

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

EUVD-2026-29152 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy