Description
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1.
Published: 2026-03-19
Score: 9.5 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

OpenWrt, a Linux‑based OS for embedded devices, contains a stack‑based buffer overflow in the mdns daemon. The vulnerability lies in the match_ipv6_addresses function, which copies incoming IPv6 reverse DNS queries from a name buffer into a 256‑byte stack array using strcpy, then extracts the address into a 46‑byte buffer without validating the length. An attacker can send a PTR query exceeding 46 bytes on UDP port 5353 to overflow this buffer, potentially leading to remote code execution.

Affected Systems

Vulnerable versions of the OpenWrt operating system include any build before v24.10.6 and before v25.12.1. The affected product is the OpenWrt software, all builds that ship the mdns daemon in earlier releases.

Risk and Exploitability

The CVSS score of 9.5 indicates a high severity, and the EPSS score of less than 1% suggests low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Because the attack requires crafting a specialized DNS query sent over multicast DNS to the device, successful exploitation is limited to environments where the device is reachable via UDP port 5353. Still, the stack overflow could permit arbitrary code execution once triggered.

Generated by OpenCVE AI on March 24, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenWrt firmware to version 24.10.6 or later

Generated by OpenCVE AI on March 24, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openwrt
Openwrt openwrt
Vendors & Products Openwrt
Openwrt openwrt

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Critical

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1.
Title OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Openwrt Openwrt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T03:56:13.660Z

Reserved: 2026-03-06T00:04:56.698Z

Link: CVE-2026-30872

cve-icon Vulnrichment

Updated: 2026-03-20T19:40:50.324Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:31.797

Modified: 2026-03-24T14:05:07.653

Link: CVE-2026-30872

cve-icon Redhat

Severity : Critical

Publid Date: 2026-03-19T21:56:23Z

Links: CVE-2026-30872 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:35Z

Weaknesses