An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information.

A validation bypass was discovered in dnsmasq's RFC 7871 client subnet (ECS) handling. When verifying ECS source information in DNS responses, dnsmasq passes the OPT record length instead of the full packet length to the validation function.This causes all internal bounds checks to fail, completely bypassing ECS source validation and allowing an attacker to spoof client subnet information.

Red Hat rates this as Moderate. This issue affects deployments with the `--add-subnet` option enabled. The impact is limited to bypassing ECS source validation, which could allow cache manipulation scoped to specific subnets or minor information disclosure about network topology. Red Hat Enterprise Linux 10 2026-05-19T00:00:00Z RHSA-2026:19158 dnsmasq-0:2.90-7.el10_2 Red Hat Enterprise Linux 8 2026-05-26T00:00:00Z RHSA-2026:20589 dnsmasq-0:2.79-36.el8_10 Red Hat Enterprise Linux 9 2026-05-19T00:00:00Z RHSA-2026:19373 dnsmasq-0:2.85-18.el9_8.1 Red Hat Enterprise Linux 6 Affected dnsmasq Red Hat Enterprise Linux 7 Affected dnsmasq Red Hat OpenShift Container Platform 4 Affected rhcos https://www.cve.org/CVERecord?id=CVE-2026-4893 https://nvd.nist.gov/vuln/detail/CVE-2026-4893 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html