{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30871", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-06T00:04:56.698Z", "datePublished": "2026-03-19T21:49:50.876Z", "dateUpdated": "2026-03-19T21:49:50.876Z"}, "containers": {"cna": {"title": "OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.5, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-7c3j-f7w2-p8f6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-7c3j-f7w2-p8f6"}, {"name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"}, {"name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"}], "affected": [{"vendor": "openwrt", "product": "openwrt", "versions": [{"version": "< 24.10.6", "status": "affected"}, {"version": ">= 25.12.0-rc1, < 25.12.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T21:49:50.876Z"}, "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \\001), significantly inflating the expanded name beyond the stack buffer's capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1."}], "source": {"advisory": "GHSA-7c3j-f7w2-p8f6", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \\001), significantly inflating the expanded name beyond the stack buffer's capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1."}], "id": "CVE-2026-30871", "lastModified": "2026-03-20T13:39:46.493", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.5, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T22:16:31.633", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"}, {"source": "security-advisories@github.com", "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-7c3j-f7w2-p8f6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "OpenWrt: mdns: OpenWrt mdns daemon: Arbitrary code execution via crafted DNS packets", "id": "2449240", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449240"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-120", "details": ["A flaw was found in the OpenWrt mdns daemon. A remote attacker can exploit a Stack-based Buffer Overflow vulnerability in the `parse_question` function by sending specially crafted DNS (Domain Name System) packets. These packets, specifically PTR (Pointer Record) queries for reverse DNS domains, can cause the `dn_expand` function to inflate the size of the expanded name. This inflated name is then copied into a smaller fixed-size buffer using an unbounded copy operation, leading to a buffer overflow. This can result in arbitrary code execution or a denial of service (DoS) on the affected device."], "name": "CVE-2026-30871", "public_date": "2026-03-19T21:49:50Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30871\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30871\nhttps://github.com/openwrt/openwrt/releases/tag/v24.10.6\nhttps://github.com/openwrt/openwrt/releases/tag/v25.12.1\nhttps://github.com/openwrt/openwrt/security/advisories/GHSA-7c3j-f7w2-p8f6"], "threat_severity": "Critical"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,24.10.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.12.0-rc1,25.12.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openwrt", "source": "cna", "vendor": "openwrt"}, "product": "openwrt", "vendor": "openwrt"}], "analysis": {"en": {"generated_at": "2026-03-20T01:23:09.500688+00:00", "value": {"mitigation_remediation": ["Upgrade the OpenWrt firmware to version 24.10.6 or later, or to 25.12.1 or later, which contain the fix for the mdns stack overflow.", "If an upgrade is not immediately possible, disable or remove the mdns daemon from the device configuration to prevent processing of multicast DNS packets.", "Monitor network traffic for anomalous PTR queries on UDP port 5353 and block suspicious packets at the router or firewall level.", "Check the OpenWrt release notes and vendor advisories regularly for updates and apply any subsequent security patches as they become available."], "summary": {"action": "Immediate Patch", "impact": "Stack-based Buffer Overflow potentially enabling Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected products are the OpenWrt operating system (vendor openwrt), specifically all builds prior to version 24.10.6 and 25.12.1. The issue is present in the mdns daemon component of these builds; upgrade to release 24.10.6 or later, or 25.12.1 or later, removes the vulnerability.", "description_and_impact": "The vulnerability is a stack-based buffer overflow in the mdns daemon\u2019s parse_question function of the OpenWrt Project. It is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). When a DNS packet arrives on UDP port 5353, the dn_expand routine expands the queried name into an 8,096\u2011byte global buffer (name_buffer). A subsequent unbounded strcpy copies that expanded name into a fixed 256\u2011byte stack buffer while processing TYPE_PTR queries. Because dn_expand converts non\u2011printable ASCII bytes into multi\u2011character octal representations, the expanded name can become much larger than the stack buffer, allowing an attacker to overflow the buffer. The overflow can corrupt the stack and potentially lead to arbitrary code execution or denial of service. This weakness corresponds to CWE\u2011120 (Classic Buffer Overflow) and CWE\u2011121 (Stack-based Buffer Overflow).", "risk_and_exploitability": "The CVSS score for this vulnerability is 9.5, indicating a very high severity. The EPSS score is not available, so the current estimated likelihood of exploit is unknown. The vulnerability is not cataloged in the CISA KEV list. It can be reached through normal multicast DNS traffic on UDP port 5353, meaning that any device on the same network that receives such traffic can potentially trigger the overflow. An attacker would need to craft a malicious PTR query that expands beyond the stack buffer size. Given the high CVSS and the ease of sending a malicious DNS packet, the risk to systems that use the affected OpenWrt releases is substantial."}}}}, "created": "2026-03-20T08:55:28.364576+00:00", "updated": "2026-03-20T11:05:50.705844+00:00", "vendors": ["openwrt", "openwrt$PRODUCT$openwrt"]}