diff --git a/SPECS/dnsmasq/CVE-2026-4891.patch b/SPECS/dnsmasq/CVE-2026-4891.patch
new file mode 100644
index 00000000000..d6371981aae
--- /dev/null
+++ b/SPECS/dnsmasq/CVE-2026-4891.patch
@@ -0,0 +1,42 @@
+From 2309d38fb51a018d066132bb81a1741b4c5b282f Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 25 Mar 2026 23:04:08 +0000
+Subject: [PATCH] Verify rdlen field in RRSIG packets. CVE-2026-4891
+
+Bug report from Royce M <royce@xchglabs.com>
+
+This avoids crafted packets which give a value for rdlen _less_
+then the space taken up by the fixed data and the signer's name
+and engender a negative calculated length for the signature.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=788b4e0f6c05217981b512bed4e5fea6f8855d01
+---
+ src/dnssec.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index ed2f53f..bdd48ca 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
+ 
+ 	   *ttl_out = ttl;
+ 	 }
+-       
++
++      /* Don't trust rdlen not to be too small and give us a negative sig_len
++	 It has already been checked that it doesn't run us off the end
++	 of the packet. */
++      if ((sig_len = rdlen - (p - psav)) <= 0)
++	return STAT_BOGUS;
++
+       sig = p;
+-      sig_len = rdlen - (p - psav);
+-              
+       nsigttl = htonl(orig_ttl);
+       
+       hash->update(ctx, 18, psav);
+-- 
+2.45.4
+
diff --git a/SPECS/dnsmasq/dnsmasq.spec b/SPECS/dnsmasq/dnsmasq.spec
index 6e009406a6d..9626cbcc424 100644
--- a/SPECS/dnsmasq/dnsmasq.spec
+++ b/SPECS/dnsmasq/dnsmasq.spec
@@ -1,7 +1,7 @@
 Summary:        DNS proxy with integrated DHCP server
 Name:           dnsmasq
 Version:        2.90
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2 or GPLv3
 Group:          System Environment/Daemons
 URL:            https://www.thekelleys.org.uk/dnsmasq/
@@ -9,6 +9,7 @@ Source0:        https://www.thekelleys.org.uk/%{name}/%{name}-%{version}.tar.xz
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Patch0:         fix-missing-ioctl-SIOCGSTAMP-add-sockios-header-linux-5.2.patch
+Patch1:         CVE-2026-4891.patch
 
 BuildRequires:  kernel-headers
 
@@ -66,6 +67,9 @@ EOF
 %config  /usr/share/dnsmasq/trust-anchors.conf
 
 %changelog
+* Fri May 15 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.90-2
+- Patch for CVE-2026-4891
+
 * Thu Feb 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.90-1
 - Auto-upgrade to 2.90 - Azure Linux 3.0 Upgrades