CVE-2025-68276
Denial of Service in Avahi-daemon via D-Bus RecordBrowser Abuse
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| avahi | avahi | to 0.9-rc2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68276 is a vulnerability in the Avahi daemon where unprivileged local users can crash the avahi-daemon process by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus, even when the wide-area feature is disabled. This triggers an assertion failure in the avahi_wide_area_scan_cache function, causing the daemon to abort with a SIGABRT signal. The issue arises because the daemon improperly allows creation of wide-area record browsers when the feature is disabled, leading to a reachable assertion vulnerability (CWE-617) and a denial of service. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an unprivileged local user to cause a denial of service (DoS) by crashing the avahi-daemon process. This crash disrupts the service discovery functionality on the local network, potentially affecting network operations that rely on Avahi for mDNS/DNS-SD service discovery. The impact is limited to availability, with no confidentiality or integrity loss. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the avahi-daemon is running a vulnerable version (up to and including 0.9-rc2) with the wide-area feature disabled. To test for the vulnerability, you can run D-Bus calls to Avahi's ResolveAddress, ResolveHostName, and ResolveService methods with the AVAHI_LOOKUP_USE_WIDE_AREA flag set and observe if these calls cause the avahi-daemon to crash or return failure codes. The smoke test script (.github/workflows/smoke-tests.sh) used in the fix performs such D-Bus calls and expects failure codes (1 and 3) when wide-area browsing is disabled. Monitoring for avahi-daemon crashes (SIGABRT) triggered by these calls can also indicate the presence of the vulnerability. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include ensuring that the Avahi daemon configuration file (avahi-daemon.conf) explicitly disables wide-area browsing by not setting or setting `enable-wide-area=no`. Additionally, update Avahi to a version that includes the fix from pull request #806, which prevents the creation of wide-area record browsers when the wide-area feature is disabled. Until a patched version is available, restrict unprivileged local user access to D-Bus methods that can create record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag to prevent exploitation. [2, 3]