CVE-2026-30871

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-30871
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30871.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-30871
Aliases
  • GHSA-7c3j-f7w2-p8f6
Published
2026-03-19T21:49:50.876Z
Modified
2026-04-10T05:41:56.689534Z
Severity
  • 9.5 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query
Details

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parsequestion function. The issue is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dnexpand into an 8096-byte global buffer (namebuffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPEPTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \001), significantly inflating the expanded name beyond the stack buffer's capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1.

Database specific 
{
    "cwe_ids": [
        "CWE-121"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30871.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/openwrt/openwrt

Affected ranges

Type
GIT
Repo
https://github.com/openwrt/openwrt
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ec8eeaa8fbd3122b9b9e68b7db02707884a19c9c
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "24.10.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/openwrt/openwrt
Events
Introduced
b1a74b1cde0dd9b4c07bb5ba7020f94967912f2d
Fixed
d6115e42127481645ae7210c9d8ca1bd14313473
Database specific 
{
    "versions": [
        {
            "introduced": "25.12.0-rc1"
        },
        {
            "fixed": "25.12.1"
        }
    ]
}

Affected versions

Other
reboot
v24.*
v24.10.0
v24.10.0-rc1
v24.10.0-rc2
v24.10.0-rc3
v24.10.0-rc4
v24.10.0-rc5
v24.10.0-rc6
v24.10.0-rc7
v24.10.1
v24.10.2
v24.10.3
v24.10.4
v24.10.5
v25.*
v25.12.0
v25.12.0-rc1
v25.12.0-rc2
v25.12.0-rc3
v25.12.0-rc4
v25.12.0-rc5

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30871.json"