CVE-2025-68471
Unknown Unknown - Not Provided
Denial of Service in Avahi-daemon via Malformed CNAME Records

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: GitHub, Inc.

Description
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68471
EUVD
EUVD-2025-206278
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
avahi avahi_daemon to 0.9-rc2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68471 is a vulnerability in avahi-daemon (version 0.9-rc2 and earlier) where the daemon crashes due to a reachable assertion failure in the lookup_start function when it receives two unsolicited multicast DNS announcements containing CNAME resource records spaced about 2 seconds apart. The crash happens because the assertion !l->wide_area && !l->multicast fails when processing these CNAME records with varying TTL values, causing the daemon to abort unexpectedly with a SIGABRT signal. This leads to a denial of service by crashing the avahi-daemon process. [1, 2]

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing the avahi-daemon process on affected systems. Since avahi-daemon facilitates service discovery on local networks, its crash can disrupt network service discovery functionality, potentially impacting applications and services relying on mDNS/DNS-SD. The attack can be performed remotely over the network without privileges but requires user interaction (receiving crafted multicast DNS packets). [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring for crashes of the avahi-daemon triggered by receiving unsolicited multicast DNS (mDNS) CNAME resource record announcements spaced about 2 seconds apart. Specifically, sending crafted mDNS packets with CNAME records and observing if the avahi-daemon crashes can confirm the presence of the vulnerability. An example command to replicate the exploit and thus detect the vulnerability uses the Python Scapy library to send two multicast DNS responses with CNAME records spaced 2 seconds apart: ```send(IP(dst='224.0.0.251%iface')/UDP(sport=5353,dport=5353)/DNS(qd=[],qr=1,an=[DNSRR(rrname='_ipp._tcp.local',type='CNAME',ttl=1,rdata='Q')]), count=2, inter=2)``` where `iface` is your network interface name. Observing a crash of avahi-daemon after running this command indicates the vulnerability is present. [2]

Mitigation Strategies

Immediate mitigation steps include updating avahi-daemon to a version that includes the fix replacing the assertion failure with a conditional check to prevent duplicate lookups, as implemented in commit 9c6eb53. If an update is not immediately available, consider disabling or restricting the avahi-daemon service to limit exposure to unsolicited multicast DNS packets, or applying network-level filtering to block suspicious mDNS CNAME announcements. Monitoring and restarting the avahi-daemon upon crashes can also help maintain service availability until a patch is applied. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68471. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart