{"id":"CVE-2026-24401","summary":"Avahi has Uncontrolled Recursion in lookup_handle_cname function","details":"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., \"h.local\" as a CNAME for \"h.local\"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.","aliases":["GHSA-h4vp-5m8j-f6w3"],"modified":"2026-05-07T08:59:24.066636378Z","published":"2026-01-24T01:25:02.294Z","related":["CGA-2vv7-p7cc-jq9r","SUSE-SU-2026:1191-1","SUSE-SU-2026:1441-1","SUSE-SU-2026:1442-1","SUSE-SU-2026:21117-1","SUSE-SU-2026:21127-1","openSUSE-SU-2026:10701-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24401.json","cwe_ids":["CWE-674"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24401.json"},{"type":"ADVISORY","url":"https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24401"},{"type":"REPORT","url":"https://github.com/avahi/avahi/issues/501"},{"type":"FIX","url":"https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/avahi/avahi","events":[{"introduced":"0"},{"fixed":"78eab31128479f06e30beb8c1cbf99dd921e2524"}]},{"type":"GIT","repo":"https://github.com/lathiat/avahi","events":[{"introduced":"0"},{"last_affected":"8ee3bd6f7921b489bde14f120187a5becf134d30"},{"introduced":"0"},{"last_affected":"1dade81cbf4d3e3f49784e44e543cd77046c79df"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.9-rc1"},{"introduced":"0"},{"last_affected":"0.9-rc2"}]}}],"versions":["0.6.32-rc","v0.6.23","v0.6.24","v0.6.25","v0.6.26","v0.6.27","v0.6.28","v0.6.29","v0.6.30","v0.6.31","v0.6.32","v0.7","v0.8","v0.9-rc1","v0.9-rc2"],"database_specific":{"vanir_signatures_modified":"2026-04-12T20:21:44Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"0.9"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24401.json","vanir_signatures":[{"signature_version":"v1","digest":{"function_hash":"332737092712039648650165003545039931030","length":724},"signature_type":"Function","deprecated":false,"source":"https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524","id":"CVE-2026-24401-173bd870","target":{"function":"lookup_handle_cname","file":"avahi-core/browse.c"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["151505114680226689991009913718028681377","156292945866089260300898979064104515909","102594860459434896414600153339778576587","271740318055916461206324138873014224655","212433022854709265375621083468558640536","15743829998157019946019777875182439863"]},"source":"https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524","deprecated":false,"signature_type":"Line","id":"CVE-2026-24401-2058ab72","target":{"file":"avahi-core/browse.c"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}