diff --git a/dnsmasq-2.93-CVE-2026-4892.patch b/dnsmasq-2.93-CVE-2026-4892.patch
new file mode 100644
index 0000000..db5c266
--- /dev/null
+++ b/dnsmasq-2.93-CVE-2026-4892.patch
@@ -0,0 +1,36 @@
+From e0a5f7bef040d25631ffff9abaf8424091b768bc Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 25 Mar 2026 23:16:35 +0000
+Subject: [PATCH 4/5] Fix buffer overflow in helper.c with large CLIDs.
+ CVE-2026-4892
+
+Bug reported bt Royce M <royce@xchglabs.com>
+
+Location: helper.c:265-270
+DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
+the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
+A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
+
+Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
+---
+ src/helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/helper.c b/src/helper.c
+index b9da225..3a31e61 100644
+--- a/src/helper.c
++++ b/src/helper.c
+@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
+ 		      data.hostname_len + data.ed_len + data.clid_len, 1))
+ 	continue;
+ 
+-      /* CLID into packet */
+-      for (p = daemon->packet, i = 0; i < data.clid_len; i++)
++      /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
++      for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
+ 	{
+ 	  p += sprintf(p, "%.2x", buf[i]);
+ 	  if (i != data.clid_len - 1) 
+-- 
+2.54.0
+
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 97d95f5..7e64e5d 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -52,6 +52,7 @@ Patch4:         dnsmasq-CVE-2026-2291.patch
 Patch5:         dnsmasq-2.93-CVE-2026-2291.patch
 Patch6:         dnsmasq-2.93-CVE-2026-4890.patch
 Patch7:         dnsmasq-2.93-CVE-2026-4891.patch
+Patch8:         dnsmasq-2.93-CVE-2026-4892.patch
 
 
 Requires:       nettle
@@ -230,6 +231,7 @@ install -Dpm 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
 - Prevent overflow in extract_name function (CVE-2026-2291)
 - Prevent DoS in DNSSEC validation (CVE-2026-4890)
 - Prevent out-of-bounds read in DNSSEC validation (CVE-2026-4891)
+- Prevent out-of-bounds write in DHCPv6 server (CVE-2026-4892)
 
 * Wed Mar 18 2026 Petr Menšík <pemensik@redhat.com> - 2.90-6
 - Prevent heap buffer overflow in cache via NAME_ESCAPE expansion