{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24401", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-22T18:19:49.172Z", "datePublished": "2026-01-24T01:25:02.294Z", "dateUpdated": "2026-01-26T16:17:24.487Z"}, "containers": {"cna": {"title": "Avahi has Uncontrolled Recursion in lookup_handle_cname function", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3"}, {"name": "https://github.com/avahi/avahi/issues/501", "tags": ["x_refsource_MISC"], "url": "https://github.com/avahi/avahi/issues/501"}, {"name": "https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524", "tags": ["x_refsource_MISC"], "url": "https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524"}], "affected": [{"vendor": "avahi", "product": "avahi", "versions": [{"version": "< 78eab31128479f06e30beb8c1cbf99dd921e2524", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-24T01:25:02.294Z"}, "descriptions": [{"lang": "en", "value": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., \"h.local\" as a CNAME for \"h.local\"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524."}], "source": {"advisory": "GHSA-h4vp-5m8j-f6w3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T16:14:24.982686Z", "id": "CVE-2026-24401", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T16:17:24.487Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24401", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-22T18:19:49.172Z", "datePublished": "2026-01-24T01:25:02.294Z", "dateUpdated": "2026-01-26T16:17:24.487Z"}, "containers": {"cna": {"title": "Avahi has Uncontrolled Recursion in lookup_handle_cname function", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3"}, {"name": "https://github.com/avahi/avahi/issues/501", "tags": ["x_refsource_MISC"], "url": "https://github.com/avahi/avahi/issues/501"}, {"name": "https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524", "tags": ["x_refsource_MISC"], "url": "https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524"}], "affected": [{"vendor": "avahi", "product": "avahi", "versions": [{"version": "< 78eab31128479f06e30beb8c1cbf99dd921e2524", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-24T01:25:02.294Z"}, "descriptions": [{"lang": "en", "value": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., \"h.local\" as a CNAME for \"h.local\"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524."}], "source": {"advisory": "GHSA-h4vp-5m8j-f6w3", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24401", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T16:14:24.982686Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T16:14:25.957Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avahi:avahi:*:*:*:*:*:*:*:*", "matchCriteriaId": "6481267F-934F-4A0C-9B25-59738E798458", "versionEndExcluding": "0.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:avahi:avahi:0.9:rc1:*:*:*:*:*:*", "matchCriteriaId": "76971590-AEED-4CB1-B7B7-45EA8FD11524", "vulnerable": true}, {"criteria": "cpe:2.3:a:avahi:avahi:0.9:rc2:*:*:*:*:*:*", "matchCriteriaId": "83D94AE4-46AC-4955-BB0D-193CF79149A1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., \"h.local\" as a CNAME for \"h.local\"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524."}], "id": "CVE-2026-24401", "lastModified": "2026-02-12T15:58:27.273", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-24T02:15:48.760", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/avahi/avahi/issues/501"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "avahi: Avahi: Denial of Service via recursive CNAME record in mDNS response", "id": "2432534", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432534"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-674", "details": ["Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., \"h.local\" as a CNAME for \"h.local\"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.", "A flaw was found in Avahi, a system that enables devices to discover services on a local network. A remote attacker can exploit this vulnerability by sending a specially crafted mDNS (multicast Domain Name System) response containing a recursive CNAME (Canonical Name) record. This triggers an uncontrolled recursion within the avahi-daemon process, leading to stack exhaustion and causing the service to crash. This results in a denial of service (DoS) for affected systems."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, disable the avahi-daemon service if mDNS/DNS-SD functionality is not required on the system.\n```bash\nsudo systemctl disable --now avahi-daemon.service\nsudo systemctl mask avahi-daemon.service\n```\nDisabling this service may impact applications relying on mDNS for local network service discovery. A system reboot or service reload may be required for the changes to take full effect."}, "name": "CVE-2026-24401", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "avahi", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "avahi", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "avahi", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "avahi", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "avahi", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-01-24T01:25:02Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24401\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24401\nhttps://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524\nhttps://github.com/avahi/avahi/issues/501\nhttps://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3"], "statement": "This MODERATE impact flaw in Avahi's `avahi-daemon` can lead to a denial of service. An attacker on the local network could send a specially crafted, unsolicited mDNS response containing a recursive CNAME record, causing unbounded recursion and a crash. This affects systems where Avahi's record browsers explicitly use multicast, such as those utilizing `nss-mdns`.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T02:58:04.713109+00:00", "value": {"mitigation_remediation": ["Upgrade Avahi to a version that contains commit 78eab31128479f06e30beb8c1cbf99dd921e2524 or later.", "Restart the avahi\u2011daemon service to load the updated code.", "If an upgrade cannot be performed immediately, disable AVAHI_LOOKUP_USE_MULTICAST in resolver or configuration files, or configure firewall rules to block unsolicited mDNS traffic from untrusted sources."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected products are the Avahi service discovery daemon provided by the avahi vendor. Versions 0.9rc2 and earlier, including 0.9rc1 and 0.9rc2, are vulnerable. The issue is present in all builds using the mDNS/DNS\u2011SD protocol suite when AVAHI_LOOKUP_USE_MULTICAST is set explicitly, such as record browsers created by resolvers used by nss-mdns.", "description_and_impact": "The vulnerability arises from an uncontrolled recursion in Avahi's lookup_handle_cname function when processing mDNS messages that contain a self\u2011referential CNAME record. This causes the daemon to crash with a segmentation fault, exhausting the stack and leading to a denial of service by terminating the avahi\u2011daemon process.", "risk_and_exploitability": "The CVSS base score is 6.5, indicating a medium severity vulnerability. The EPSS score is below 1%, suggesting a low likelihood of exploitation but not zero. The vulnerability is not listed in CISA's KEV catalog. An attacker would need to send a crafted unsolicited mDNS response containing a recursive CNAME record to a machine running the vulnerable Avahi daemon on the same local network, which can be achieved by simple network traffic injection or spoofing. If executed, the attack causes a crash of the daemon, disrupting local service discovery."}}}}, "created": "2026-01-26T11:48:57.932689+00:00", "updated": "2026-04-18T03:00:10.336850+00:00", "vendors": ["avahi", "avahi$PRODUCT$avahi"]}