CVE-2025-68468 - Vulnerability Details - OpenCVE

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a
https://github.com/avahi/avahi/issues/683
https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52

History

Mon, 12 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 12 Jan 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.
Title		Avahi has a reachable assertion in lookup_multicast_callback
Weaknesses		CWE-617
References		https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a https://github.com/avahi/avahi/issues/683 https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-12T17:38:10.492Z

Updated: 2026-01-12T18:41:50.855Z

Reserved: 2025-12-18T13:48:59.555Z

Link: CVE-2025-68468

Vulnrichment

Updated: 2026-01-12T18:41:47.044Z

NVD

Status : Received

Published: 2026-01-12T18:15:48.173

Modified: 2026-01-12T18:15:48.173

Link: CVE-2025-68468

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68468", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-18T13:48:59.555Z", "datePublished": "2026-01-12T17:38:10.492Z", "dateUpdated": "2026-01-12T18:41:50.855Z"}, "containers": {"cna": {"title": "Avahi has a reachable assertion in lookup_multicast_callback", "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "lang": "en", "description": "CWE-617: Reachable Assertion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52"}, {"name": "https://github.com/avahi/avahi/issues/683", "tags": ["x_refsource_MISC"], "url": "https://github.com/avahi/avahi/issues/683"}, {"name": "https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a", "tags": ["x_refsource_MISC"], "url": "https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a"}], "affected": [{"vendor": "avahi", "product": "avahi", "versions": [{"version": "<= 0.9-rc2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T17:38:10.492Z"}, "descriptions": [{"lang": "en", "value": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes."}], "source": {"advisory": "GHSA-cp79-r4x9-vf52", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T18:41:41.101488Z", "id": "CVE-2025-68468", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T18:41:50.855Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68468", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T18:41:41.101488Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T18:41:47.044Z"}}], "cna": {"title": "Avahi has a reachable assertion in lookup_multicast_callback", "source": {"advisory": "GHSA-cp79-r4x9-vf52", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "avahi", "product": "avahi", "versions": [{"status": "affected", "version": "<= 0.9-rc2"}]}], "references": [{"url": "https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52", "name": "https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/avahi/avahi/issues/683", "name": "https://github.com/avahi/avahi/issues/683", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a", "name": "https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "CWE-617: Reachable Assertion"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T17:38:10.492Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68468", "state": "PUBLISHED", "dateUpdated": "2026-01-12T18:41:50.855Z", "dateReserved": "2025-12-18T13:48:59.555Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-12T17:38:10.492Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}