CVE-2026-24401

Published: Jan 24, 2026

Modified: Jan 26, 2026

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.

Vendor	Product	Versions
avahi	avahi	affected `< 78eab31128479f06e30beb8c1cbf99dd921e2524`

Weaknesses (CWE)

CWE-674

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3

x_refsource_CONFIRM

https://github.com/avahi/avahi/issues/501

x_refsource_MISC

https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-24401

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References