CVE-2025-68276
Unknown Unknown - Not Provided
Denial of Service in Avahi-daemon via D-Bus RecordBrowser Abuse

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: GitHub, Inc.

Description
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68276
EUVD
EUVD-2025-206280
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
avahi avahi to 0.9-rc2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68276 is a vulnerability in the Avahi daemon where unprivileged local users can crash the avahi-daemon process by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus, even when the wide-area feature is disabled. This triggers an assertion failure in the avahi_wide_area_scan_cache function, causing the daemon to abort with a SIGABRT signal. The issue arises because the daemon improperly allows creation of wide-area record browsers when the feature is disabled, leading to a reachable assertion vulnerability (CWE-617) and a denial of service. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing an unprivileged local user to cause a denial of service (DoS) by crashing the avahi-daemon process. This crash disrupts the service discovery functionality on the local network, potentially affecting network operations that rely on Avahi for mDNS/DNS-SD service discovery. The impact is limited to availability, with no confidentiality or integrity loss. [1, 2]

Detection Guidance

You can detect this vulnerability by checking if the avahi-daemon is running a vulnerable version (up to and including 0.9-rc2) with the wide-area feature disabled. To test for the vulnerability, you can run D-Bus calls to Avahi's ResolveAddress, ResolveHostName, and ResolveService methods with the AVAHI_LOOKUP_USE_WIDE_AREA flag set and observe if these calls cause the avahi-daemon to crash or return failure codes. The smoke test script (.github/workflows/smoke-tests.sh) used in the fix performs such D-Bus calls and expects failure codes (1 and 3) when wide-area browsing is disabled. Monitoring for avahi-daemon crashes (SIGABRT) triggered by these calls can also indicate the presence of the vulnerability. [3]

Mitigation Strategies

Immediate mitigation steps include ensuring that the Avahi daemon configuration file (avahi-daemon.conf) explicitly disables wide-area browsing by not setting or setting `enable-wide-area=no`. Additionally, update Avahi to a version that includes the fix from pull request #806, which prevents the creation of wide-area record browsers when the wide-area feature is disabled. Until a patched version is available, restrict unprivileged local user access to D-Bus methods that can create record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag to prevent exploitation. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68276. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart