CVE-2026-30872

Name of the Vulnerable Software and Affected Versions OpenWrt Project versions prior to 24.10.6 OpenWrt Project versions prior to 25.12.1

Description The OpenWrt Project, a Linux operating system for embedded devices, contains a stack-based buffer overflow in the mdns daemon’s match ipv6 addresses function. This occurs when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. The issue arises because the strcpy function copies data into a fixed 256-byte stack buffer without proper length validation, and the reverse IPv6 request is extracted into a 46-byte buffer. An attacker can exploit this by sending a crafted DNS query exceeding 46 bytes, leading to an out-of-bounds write and potential remote code execution.

Recommendations Update to OpenWrt Project version 24.10.6 or later. Update to OpenWrt Project version 25.12.1 or later.