Login Sign Up

CVE-2025-68471

6.5 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability allows remote attackers to crash the Avahi daemon by sending two specially crafted mDNS announcements with CNAME records two seconds apart. This affects systems running Avahi 0.9-rc2 and earlier versions, primarily Linux systems using Avahi for local network service discovery.

💻 Affected Systems

Products:
  • Avahi
Versions: 0.9-rc2 and earlier
Operating Systems: Linux distributions with Avahi installed
Default Config Vulnerable: ⚠️ Yes
Notes: Systems with Avahi enabled and listening on network interfaces are vulnerable. Many Linux distributions include Avahi by default.

📦 What is this software?

Avahi by Avahi

View all CVEs affecting Avahi →

Avahi by Avahi

View all CVEs affecting Avahi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service on the Avahi daemon, disrupting local network service discovery and potentially affecting dependent services.

🟠

Likely Case

Temporary service disruption requiring daemon restart, causing brief loss of mDNS/DNS-SD functionality.

🟢

If Mitigated

Minimal impact with proper network segmentation and Avahi service isolation.

🌐 Internet-Facing: LOW (Avahi typically listens on local network interfaces only)
🏢 Internal Only: MEDIUM (Attackers on the same local network could disrupt service discovery)

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires sending two crafted packets with specific timing. Proof of concept is available in the GitHub advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1

Vendor Advisory: https://github.com/avahi/avahi/security/advisories/GHSA-56rf-42xr-qmmg

Restart Required: Yes

Instructions:

1. Update Avahi to latest version from distribution repositories. 2. For source builds: apply commit 9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1. 3. Restart avahi-daemon service.

🔧 Temporary Workarounds

Disable Avahi service

linux

Stop and disable the Avahi daemon if not needed

sudo systemctl stop avahi-daemon
sudo systemctl disable avahi-daemon

Network filtering

linux

Block mDNS traffic (port 5353/udp) at network boundaries

sudo iptables -A INPUT -p udp --dport 5353 -j DROP

🧯 If You Can't Patch

  • Implement network segmentation to isolate Avahi services
  • Monitor for avahi-daemon crashes and implement automatic restart

🔍 How to Verify

Check if Vulnerable:

Check Avahi version: avahi-daemon --version. If version is 0.9-rc2 or earlier, system is vulnerable.

Check Version:

avahi-daemon --version 2>/dev/null || dpkg -l | grep avahi || rpm -qa | grep avahi

Verify Fix Applied:

Verify version is newer than 0.9-rc2 and check if commit 9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1 is included.

📡 Detection & Monitoring

Log Indicators:

  • Avahi daemon crash logs in systemd journal
  • Segmentation fault messages in /var/log/syslog

Network Indicators:

  • Multiple mDNS announcements with CNAME records from single source
  • Unusual port 5353/udp traffic patterns

SIEM Query:

source="syslog" AND "avahi-daemon" AND ("segmentation fault" OR "crash" OR "SIGSEGV")

📊 Metadata

CVE ID: CVE-2025-68471
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE: CWE-617
EPSS Score: 0.03% exploit probability (8.7th percentile)
Published: January 12, 2026
Last Updated: January 16, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68471, you might also want to check these:

CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)
CVE-2023-37017 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packet...

Same vulnerability type (CWE-617)