Description
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \001), significantly inflating the expanded name beyond the stack buffer's capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1.
Published: 2026-03-19
Score: 9.5 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

The flaw is a stack‑based buffer overflow in the mdns daemon of OpenWrt. In the parse_question function a 256‑byte stack buffer is filled by copying an 8,096‑byte global buffer that has been expanded by dn_expand. Because dn_expand converts non‑printable ASCII bytes into escaped octal sequences, a crafted PTR DNS query inflates the name beyond the stack space, allowing the overflow. The result is that an attacker can potentially execute arbitrary code on the device.

Affected Systems

All OpenWrt installations running the mdns daemon before the release of version 24.10.6 or 25.12.1 are impacted. The vulnerability is triggered by normal multicast DNS traffic on UDP port 5353 and is present in devices that use the default mdns service provided by OpenWrt.

Risk and Exploitability

The score of 9.5 indicates a high severity, but the EPSS score of less than 1% suggests that it is currently unlikely to be exploited. The vulnerability is not yet listed in the CISA KEV catalog. Exploitation requires crafting a specific DNS packet that targets the PTR query handling over UDP 5353, a typical network access vector for devices on local networks.

Generated by OpenCVE AI on March 24, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenWrt firmware to version 24.10.6 or 25.12.1 or newer, where the mdns daemon has been patched.
  • If the mdns service is not required, disable it or remove the package from the installation.
  • After updating, verify that the mdns process is no longer listening on UDP 5353.
  • Continuously monitor network traffic for unexpected or malformed UDP 5353 packets as an additional defensive measure.

Generated by OpenCVE AI on March 24, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openwrt
Openwrt openwrt
Vendors & Products Openwrt
Openwrt openwrt

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Critical

Thu, 19 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \001), significantly inflating the expanded name beyond the stack buffer's capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1.
Title OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Openwrt Openwrt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T03:56:12.627Z

Reserved: 2026-03-06T00:04:56.698Z

Link: CVE-2026-30871

cve-icon Vulnrichment

Updated: 2026-03-20T20:16:04.477Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:31.633

Modified: 2026-03-24T14:07:06.507

Link: CVE-2026-30871

cve-icon Redhat

Severity : Critical

Publid Date: 2026-03-19T21:49:50Z

Links: CVE-2026-30871 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:37Z

Weaknesses