Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-05-09T00:00:00 dnsmasq: NSEC bitmap parsing infinite loop 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835

A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.

A denial of service vulnerability was discovered in dnsmasq's DNSSEC validation. When parsing NSEC and NSEC3 bitmap records, the window iteration logic fails to account for the 2-byte window header when advancing through the bitmap data. A specially crafted DNS response with a zero-length bitmap can cause an infinite loop, making dnsmasq unresponsive to all queries.

This issue affects deployments with DNSSEC validation enabled (--dnssec). The flaw is reachable before RRSIG signature validation, meaning no valid DNSSEC signatures are required to trigger it. However, the primary impact is limited to denial of service. Red Hat Enterprise Linux 10 2026-05-19T00:00:00Z RHSA-2026:19158 dnsmasq-0:2.90-7.el10_2 Red Hat Enterprise Linux 8 2026-05-26T00:00:00Z RHSA-2026:20589 dnsmasq-0:2.79-36.el8_10 Red Hat Enterprise Linux 9 2026-05-19T00:00:00Z RHSA-2026:19373 dnsmasq-0:2.85-18.el9_8.1 Red Hat Enterprise Linux 6 Under investigation dnsmasq Red Hat Enterprise Linux 7 Under investigation dnsmasq Red Hat OpenShift Container Platform 4 Under investigation rhcos https://www.cve.org/CVERecord?id=CVE-2026-4890 https://nvd.nist.gov/vuln/detail/CVE-2026-4890 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html