2449317 – (CVE-2026-30872) CVE-2026-30872 OpenWrt: mdns daemon: OpenWrt mdns daemon: Remote Code Execution via stack-based buffer overflow

Bug 2449317 (CVE-2026-30872) - CVE-2026-30872 OpenWrt: mdns daemon: OpenWrt mdns daemon: Remote Code Execution via stack-based buffer overflow

Summary: CVE-2026-30872 OpenWrt: mdns daemon: OpenWrt mdns daemon: Remote Code Executi...

Keywords:
Status:	NEW
Alias:	CVE-2026-30872
Product:	Security Response
Classification:	Other
Component:	vulnerability-draft
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-19 23:05 UTC by OSIDB Bzimport
Modified:	2026-03-20 21:03 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-19 23:05:55 UTC

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1.

Note You need to log in before you can comment on or make changes to this bug.