CVE-2026-24401
📋 TL;DR
A vulnerability in Avahi versions 0.9rc2 and below allows remote attackers to crash the avahi-daemon service via a specially crafted mDNS response containing a recursive CNAME record. This causes a segmentation fault due to unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects systems using Avahi with AVAHI_LOOKUP_USE_MULTICAST enabled, including those using nss-mdns for service discovery.
💻 Affected Systems
- Avahi
📦 What is this software?
Avahi by Avahi
Avahi by Avahi
Avahi by Avahi
⚠️ Risk & Real-World Impact
Worst Case
Denial of service on the Avahi daemon, disrupting local network service discovery and potentially affecting applications relying on mDNS/DNS-SD for network services.
Likely Case
Service disruption causing temporary loss of local network service discovery capabilities until the daemon is restarted.
If Mitigated
Minimal impact if Avahi is not used or if network filtering prevents malicious mDNS packets from reaching vulnerable systems.
🎯 Exploit Status
Exploitation requires sending a malicious mDNS response packet to the target system, which can be done from the local network without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 78eab31128479f06e30beb8c1cbf99dd921e2524 and later versions
Vendor Advisory: https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3
Restart Required: Yes
Instructions:
1. Update Avahi to a patched version from your distribution's repositories. 2. Restart the avahi-daemon service: 'sudo systemctl restart avahi-daemon' or 'sudo service avahi-daemon restart'.
🔧 Temporary Workarounds
Disable Avahi if not needed
linuxStop and disable the Avahi daemon if mDNS service discovery is not required on the system.
sudo systemctl stop avahi-daemon
sudo systemctl disable avahi-daemon
Network filtering
linuxBlock mDNS traffic (UDP port 5353) from untrusted networks using firewall rules.
sudo iptables -A INPUT -p udp --dport 5353 -j DROP
🧯 If You Can't Patch
- Implement network segmentation to isolate systems running Avahi from untrusted networks.
- Monitor for avahi-daemon crashes and restart the service automatically if disruption occurs.
🔍 How to Verify
Check if Vulnerable:
Check Avahi version: 'avahi-daemon --version' or 'dpkg -l | grep avahi' on Debian/Ubuntu, 'rpm -q avahi' on RHEL/CentOS. If version is 0.9rc2 or earlier, system is vulnerable.Check Version:
avahi-daemon --version 2>/dev/null || dpkg -l | grep avahi || rpm -q avahiVerify Fix Applied:
Verify Avahi version is newer than 0.9rc2 and check commit hash includes 78eab31128479f06e30beb8c1cbf99dd921e2524.📡 Detection & Monitoring
Log Indicators:
- Segmentation fault errors in system logs related to avahi-daemon
- Avahi daemon crash logs in /var/log/syslog or journalctl
Network Indicators:
- Unusual mDNS traffic with recursive CNAME records
- Multiple mDNS responses from single sources
SIEM Query:
source="syslog" AND ("avahi-daemon" AND ("segmentation fault" OR "SIGSEGV"))