CVE-2026-24401

Name of the Vulnerable Software and Affected Versions Avahi versions 0.9rc2 and below

Description Avahi, a system for service discovery on a local network using mDNS/DNS-SD, is susceptible to a denial-of-service condition. Sending a crafted mDNS response with a recursive CNAME record, where the alias and canonical name are identical (e.g., "h.local" as a CNAME for "h.local"), can cause avahi-daemon to crash due to a segmentation fault. This occurs because of unbounded recursion within the lookup handle cname function, leading to stack exhaustion. The issue specifically impacts record browsers where AVAHI LOOKUP USE MULTICAST is explicitly enabled, including those used by nss-mdns.

Recommendations Versions prior to 0.9rc2 should be updated to a version with the fix included in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.