CVE-2026-34933
Received Received - Intake
Denial of Service in Avahi-daemon via D-Bus Method Call

Publication date: 2026-04-03

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34933
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
avahi avahi to 0.9 (exc)
avahi avahi 0.9
avahi avahi 0.9
avahi avahi 0.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Avahi, a system that facilitates service discovery on a local network using the mDNS/DNS-SD protocol suite. Before version 0.9-rc4, any unprivileged local user could cause the avahi-daemon to crash by sending a single D-Bus method call with conflicting publish flags.

The issue was fixed in version 0.9-rc4.

Impact Analysis

The vulnerability allows an unprivileged local user to crash the avahi-daemon, which can lead to a denial of service condition on the affected system.

The CVSS score of 5.5 indicates a medium severity impact, specifically causing availability issues without affecting confidentiality or integrity.

Mitigation Strategies

To mitigate this vulnerability, update avahi-daemon to version 0.9-rc4 or later, as this version contains the patch that fixes the issue.

Since the vulnerability allows any unprivileged local user to crash avahi-daemon by sending a crafted D-Bus method call, restricting local user access or monitoring for unusual crashes may help as temporary measures until the update is applied.

Compliance Impact

This vulnerability allows an unprivileged local user to crash the avahi-daemon by sending a specially crafted D-Bus method call. The impact is a denial of service (availability) without affecting confidentiality or integrity.

Since the vulnerability does not lead to unauthorized access, data leakage, or modification, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal or health data.

However, the denial of service could affect system availability, which may be a consideration under some regulatory frameworks that require systems to be resilient and available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34933. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart