Description
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.
Published: 2026-01-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from an uncontrolled recursion in Avahi's lookup_handle_cname function when processing mDNS messages that contain a self‑referential CNAME record. This causes the daemon to crash with a segmentation fault, exhausting the stack and leading to a denial of service by terminating the avahi‑daemon process.

Affected Systems

Affected products are the Avahi service discovery daemon provided by the avahi vendor. Versions 0.9rc2 and earlier, including 0.9rc1 and 0.9rc2, are vulnerable. The issue is present in all builds using the mDNS/DNS‑SD protocol suite when AVAHI_LOOKUP_USE_MULTICAST is set explicitly, such as record browsers created by resolvers used by nss-mdns.

Risk and Exploitability

The CVSS base score is 6.5, indicating a medium severity vulnerability. The EPSS score is below 1%, suggesting a low likelihood of exploitation but not zero. The vulnerability is not listed in CISA's KEV catalog. An attacker would need to send a crafted unsolicited mDNS response containing a recursive CNAME record to a machine running the vulnerable Avahi daemon on the same local network, which can be achieved by simple network traffic injection or spoofing. If executed, the attack causes a crash of the daemon, disrupting local service discovery.

Generated by OpenCVE AI on April 18, 2026 at 02:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Avahi to a version that contains commit 78eab31128479f06e30beb8c1cbf99dd921e2524 or later.
  • Restart the avahi‑daemon service to load the updated code.
  • If an upgrade cannot be performed immediately, disable AVAHI_LOOKUP_USE_MULTICAST in resolver or configuration files, or configure firewall rules to block unsolicited mDNS traffic from untrusted sources.

Generated by OpenCVE AI on April 18, 2026 at 02:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:avahi:avahi:*:*:*:*:*:*:*:*
cpe:2.3:a:avahi:avahi:0.9:rc1:*:*:*:*:*:*
cpe:2.3:a:avahi:avahi:0.9:rc2:*:*:*:*:*:*

Wed, 28 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Avahi
Avahi avahi
Vendors & Products Avahi
Avahi avahi

Sat, 24 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.
Title Avahi has Uncontrolled Recursion in lookup_handle_cname function
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Avahi Avahi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T16:17:24.487Z

Reserved: 2026-01-22T18:19:49.172Z

Link: CVE-2026-24401

cve-icon Vulnrichment

Updated: 2026-01-26T16:14:25.957Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T02:15:48.760

Modified: 2026-02-12T15:58:27.273

Link: CVE-2026-24401

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-24T01:25:02Z

Links: CVE-2026-24401 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:00:10Z

Weaknesses