CVE-2026-30872
Received Received - Intake
Stack-Based Buffer Overflow in OpenWrt mdns Enables RCE

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30872
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openwrt openwrt to 24.10.6 (exc)
openwrt openwrt From 25.12.0 (inc) to 25.12.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the mdns daemon of the OpenWrt Project's Linux operating system for embedded devices. Specifically, in versions before 24.10.6 and 25.12.1, there is a stack-based buffer overflow in the match_ipv6_addresses function. The issue occurs when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353.

The vulnerability arises because the domain name from name_buffer is copied using strcpy into a fixed 256-byte stack buffer without validating the length. Then, the reverse IPv6 request is extracted into a smaller buffer of only 46 bytes. Since the length of the data is never checked before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write and overflowing the stack buffer.

This overflow can potentially allow remote code execution by an attacker sending a specially crafted DNS query.

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker to perform a stack-based buffer overflow remotely via specially crafted multicast DNS queries. The overflow can lead to remote code execution on the affected device.

Remote code execution means an attacker could potentially take control of the device, execute arbitrary code, disrupt services, or use the device as a foothold to attack other systems within the network.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your OpenWrt system to version 24.10.6 or later, or 25.12.1 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30872. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart