CVE-2026-30871
Published: 19 March 2026
Summary
CVE-2026-30871 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Openwrt Openwrt. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stack-based buffer overflow in the mdns daemon by identifying, reporting, and applying patches from OpenWrt versions 24.10.6 and 25.12.1.
Implements memory protections like stack canaries, ASLR, and DEP that detect overflows or prevent reliable exploitation of the stack buffer in parse_question.
Requires validation of expanded DNS name lengths from dn_expand before copying to the 256-byte stack buffer, addressing the unbounded strcpy vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote stack buffer overflow in network-facing mDNS daemon (UDP 5353) enables unauthenticated RCE on public-facing service.
NVD Description
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS…
more
domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \001), significantly inflating the expanded name beyond the stack buffer's capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1.
Deeper analysisAI
CVE-2026-30871 is a stack-based buffer overflow vulnerability (CWE-121) in the mdns daemon of the OpenWrt Project, a Linux operating system targeting embedded devices. The flaw affects versions prior to 24.10.6 and 25.12.1 and resides in the parse_question function. It is triggered by PTR queries for reverse DNS domains such as .in-addr.arpa and .ip6.arpa. DNS packets received on UDP port 5353 are processed by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer. The overflow occurs because dn_expand expands non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \001), inflating the name beyond the stack buffer's capacity.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity and no privileges or user interaction required. Any remote attacker can send a crafted multicast DNS packet to UDP port 5353, leveraging the normal mDNS processing flow to trigger the stack buffer overflow. Successful exploitation could allow arbitrary code execution, potentially leading to full compromise of the affected embedded device with high impacts on confidentiality, integrity, and availability.
OpenWrt has addressed the issue in versions 24.10.6 and 25.12.1, as detailed in the project's release notes and security advisory (GHSA-7c3j-f7w2-p8f6). Security practitioners should update affected devices to these patched versions to mitigate the risk.
Details
- CWE(s)