CVE-2026-24401
- Source
- https://cve.org/CVERecord?id=CVE-2026-24401
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24401.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-24401
- Aliases
-
- GHSA-h4vp-5m8j-f6w3
- Downstream
- Related
- Published
- 2026-01-24T01:25:02.294Z
- Modified
- 2026-02-16T10:30:20.019120Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Avahi has Uncontrolled Recursion in lookup_handle_cname function
- Details
-
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookuphandlecname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHILOOKUPUSE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.
- Database specific
{ "cwe_ids": [ "CWE-674" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24401.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24401.json
- https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524
- https://github.com/avahi/avahi/issues/501
- https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3
- https://nvd.nist.gov/vuln/detail/CVE-2026-24401
Affected packages
Git / github.com/avahi/avahi
Affected ranges
- Type
- GIT
- Repo
- https://github.com/avahi/avahi
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.6.32-rc
v0.*
v0.6.23
v0.6.24
v0.6.25
v0.6.26
v0.6.27
v0.6.28
v0.6.29
v0.6.30
v0.6.31
v0.6.32
v0.7
v0.8
v0.9-rc1
v0.9-rc2
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24401.json"
vanir_signatures
[
{
"deprecated": false,
"signature_type": "Function",
"digest": {
"length": 724.0,
"function_hash": "332737092712039648650165003545039931030"
},
"signature_version": "v1",
"source": "https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524",
"id": "CVE-2026-24401-173bd870",
"target": {
"file": "avahi-core/browse.c",
"function": "lookup_handle_cname"
}
},
{
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"151505114680226689991009913718028681377",
"156292945866089260300898979064104515909",
"102594860459434896414600153339778576587",
"271740318055916461206324138873014224655",
"212433022854709265375621083468558640536",
"15743829998157019946019777875182439863"
],
"threshold": 0.9
},
"signature_version": "v1",
"source": "https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524",
"id": "CVE-2026-24401-2058ab72",
"target": {
"file": "avahi-core/browse.c"
}
}
]