CVE-2025-68471
Denial of Service in Avahi-daemon via Malformed CNAME Records
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| avahi | avahi_daemon | to 0.9-rc2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68471 is a vulnerability in avahi-daemon (version 0.9-rc2 and earlier) where the daemon crashes due to a reachable assertion failure in the lookup_start function when it receives two unsolicited multicast DNS announcements containing CNAME resource records spaced about 2 seconds apart. The crash happens because the assertion !l->wide_area && !l->multicast fails when processing these CNAME records with varying TTL values, causing the daemon to abort unexpectedly with a SIGABRT signal. This leads to a denial of service by crashing the avahi-daemon process. [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) by crashing the avahi-daemon process on affected systems. Since avahi-daemon facilitates service discovery on local networks, its crash can disrupt network service discovery functionality, potentially impacting applications and services relying on mDNS/DNS-SD. The attack can be performed remotely over the network without privileges but requires user interaction (receiving crafted multicast DNS packets). [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes of the avahi-daemon triggered by receiving unsolicited multicast DNS (mDNS) CNAME resource record announcements spaced about 2 seconds apart. Specifically, sending crafted mDNS packets with CNAME records and observing if the avahi-daemon crashes can confirm the presence of the vulnerability. An example command to replicate the exploit and thus detect the vulnerability uses the Python Scapy library to send two multicast DNS responses with CNAME records spaced 2 seconds apart: ```send(IP(dst='224.0.0.251%iface')/UDP(sport=5353,dport=5353)/DNS(qd=[],qr=1,an=[DNSRR(rrname='_ipp._tcp.local',type='CNAME',ttl=1,rdata='Q')]), count=2, inter=2)``` where `iface` is your network interface name. Observing a crash of avahi-daemon after running this command indicates the vulnerability is present. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating avahi-daemon to a version that includes the fix replacing the assertion failure with a conditional check to prevent duplicate lookups, as implemented in commit 9c6eb53. If an update is not immediately available, consider disabling or restricting the avahi-daemon service to limit exposure to unsolicited multicast DNS packets, or applying network-level filtering to block suspicious mDNS CNAME announcements. Monitoring and restarting the avahi-daemon upon crashes can also help maintain service availability until a patch is applied. [3]