Igmpproxy · Igmpproxy · CVE-2025-50681
**Name of the Vulnerable Software and Affected Versions**
igmpproxy versions prior to commit 2b30c36
**Description**
A crafted IGMPv3 membership report packet with a malicious source address can cause a denial of service (application crash). Insufficient validation in the `recv igmp()` function in src/igmpproxy.c allows an invalid group record type to trigger a NULL pointer dereference when logging the address using `inet fmtsrc()`. This can be exploited by sending malformed multicast traffic to a host running igmpproxy, leading to a crash. The software is used in embedded networking environments and consumer-grade IoT devices to handle multicast traffic.
**Recommendations**
Update to a version after commit 2b30c36.