{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30872", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-06T00:04:56.698Z", "datePublished": "2026-03-19T21:56:23.472Z", "dateUpdated": "2026-03-19T21:56:23.472Z"}, "containers": {"cna": {"title": "OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.5, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-mpgh-v658-jqv5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-mpgh-v658-jqv5"}, {"name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"}, {"name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"}], "affected": [{"vendor": "openwrt", "product": "openwrt", "versions": [{"version": ">= 25.12.0-rc1, < 25.12.1", "status": "affected"}, {"version": "< 24.10.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T21:56:23.472Z"}, "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1."}], "source": {"advisory": "GHSA-mpgh-v658-jqv5", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1."}], "id": "CVE-2026-30872", "lastModified": "2026-03-20T13:39:46.493", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.5, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T22:16:31.797", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"}, {"source": "security-advisories@github.com", "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-mpgh-v658-jqv5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "OpenWrt: mdns daemon: OpenWrt mdns daemon: Remote Code Execution via stack-based buffer overflow", "id": "2449317", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449317"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-1284", "details": ["A flaw was found in OpenWrt's mdns daemon. A remote attacker can exploit a stack-based buffer overflow vulnerability by sending a specially crafted DNS query. This occurs when processing IPv6 reverse DNS queries, where the system fails to validate the length of incoming data. Successful exploitation could lead to an out-of-bounds write, potentially allowing the attacker to execute arbitrary code on the affected device."], "name": "CVE-2026-30872", "public_date": "2026-03-19T21:56:23Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30872\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30872\nhttps://github.com/openwrt/openwrt/releases/tag/v24.10.6\nhttps://github.com/openwrt/openwrt/releases/tag/v25.12.1\nhttps://github.com/openwrt/openwrt/security/advisories/GHSA-mpgh-v658-jqv5"], "threat_severity": "Critical"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.12.0-rc1,25.12.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,24.10.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openwrt", "source": "cna", "vendor": "openwrt"}, "product": "openwrt", "vendor": "openwrt"}], "analysis": {"en": {"generated_at": "2026-03-20T01:22:55.609635+00:00", "value": {"mitigation_remediation": ["Upgrade OpenWrt to version 24.10.6 or later", "Upgrade OpenWrt to version 25.12.1 or later", "As a temporary mitigation, consider disabling the mdns service if it is not required", "Restrict or block UDP port 5353 at the network perimeter to limit exposure"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects OpenWrt devices running OpenWrt OS prior to version 24.10.6 and 25.12.1. The vulnerability is present in the openwrt:openwrt product bundle and is fixed in the 24.10.6 and 25.12.1 release updates.", "description_and_impact": "OpenWrt\u2019s mdns daemon contains a stack\u2011based buffer overflow in the match_ipv6_addresses function. The vulnerability occurs when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. An attacker sends a specially crafted DNS packet containing a domain name longer than 46 characters, causing an out\u2011of\u2011bounds write into a 256\u2011byte stack buffer. This flaw is a CWE\u2011121 type stack buffer overflow and enables remote code execution on devices running the affected mdns daemon.", "risk_and_exploitability": "The CVSS score of 9.5 classifies the issue as Critical. Exploitation requires network access to UDP port 5353 and does not require authentication, indicating a remote attack vector. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Given the high severity and the ease of triggering the overflow, the risk of exploitation is significant for exposed embedded devices."}}}}, "created": "2026-03-20T08:55:25.826405+00:00", "updated": "2026-03-20T11:05:48.088606+00:00", "vendors": ["openwrt", "openwrt$PRODUCT$openwrt"]}