CVE-2026-24401
Stack Exhaustion in Avahi-daemon via Recursive CNAME mDNS Response
Publication date: 2026-01-24
Last updated on: 2026-02-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| avahi | avahi | to 0.9 (exc) |
| avahi | avahi | 0.9 |
| avahi | avahi | 0.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability in avahi-daemon versions up to 0.9rc2 is caused by uncontrolled recursion in the function lookup_handle_cname when processing recursive CNAME DNS records. Specifically, if avahi-daemon receives an unsolicited multicast DNS response containing a recursive CNAME record where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"), it triggers infinite recursion. This recursion leads to stack exhaustion and causes the daemon to crash with a segmentation fault. The issue affects record browsers that explicitly set the AVAHI_LOOKUP_USE_MULTICAST flag, including those created by resolvers used by nss-mdns. The root cause is the lack of loop detection in CNAME record processing, which was later fixed by adding a loop detection mechanism to prevent infinite recursion. [2, 3, 1]
How can this vulnerability impact me? :
This vulnerability can cause the avahi-daemon to crash due to a segmentation fault triggered by stack exhaustion from infinite recursion. The impact is a denial of service (DoS) condition where the service responsible for local network service discovery becomes unavailable. This can disrupt applications and systems relying on Avahi for multicast DNS service discovery, potentially affecting network functionality and user experience. The vulnerability can be exploited remotely or locally, requiring only that a malicious or malformed multicast DNS response be sent to the affected system. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unsolicited multicast DNS responses containing recursive CNAME records where the alias and canonical name are the same (e.g., a CNAME record for "h.local" pointing to "h.local"). A practical way to test or detect this is by crafting and sending a malicious multicast DNS packet that triggers the crash, for example using the Scapy Python library with the command: send(IP(dst='224.0.0.251%iface')/UDP(sport=5353,dport=5353)/DNS(qd=[],qr=1,an=[DNSRR(rrname='h.local',type='CNAME',ttl=1,rdata='h.local')])) where 'iface' is your network interface. Observing crashes or segmentation faults in avahi-daemon when such packets are received indicates the presence of the vulnerability. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating avahi-daemon to a version that includes the patch from commit 78eab31128479f06e30beb8c1cbf99dd921e2524, which implements loop detection to prevent infinite recursion caused by cyclic CNAME records. If updating is not immediately possible, consider restricting or filtering unsolicited multicast DNS traffic on your network to prevent malicious CNAME records from reaching vulnerable avahi-daemon instances. Monitoring and restarting the avahi-daemon service upon crashes can also help maintain availability until a patch is applied. [1, 3]