CVE-2026-30872
Published: 19 March 2026
Summary
CVE-2026-30872 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Openwrt Openwrt. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of flaws like this buffer overflow by applying patches released in OpenWrt versions 24.10.6 and 25.12.1.
SI-10 mandates validation of input lengths and formats before processing mDNS queries, directly preventing the unvalidated extraction into the 46-byte buffer that causes the overflow.
SI-16 enforces memory protections such as stack canaries and address space layout randomization to mitigate stack-based buffer overflows leading to remote code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated stack buffer overflow in mDNS daemon (UDP 5353) directly enables exploitation of a remote service to achieve RCE/initial access on the device.
NVD Description
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains…
more
(.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1.
Deeper analysisAI
CVE-2026-30872 is a stack-based buffer overflow vulnerability (CWE-121) in the mdns daemon of the OpenWrt Project, a Linux operating system targeting embedded devices. The flaw affects versions prior to 24.10.6 and 25.12.1, specifically in the match_ipv6_addresses function. It occurs when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. The domain name from the name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and the reverse IPv6 request is then extracted into a 46-byte buffer (INET6_ADDRSTRLEN) without validating the input length, enabling an out-of-bounds write.
An unauthenticated attacker with network access can exploit this vulnerability by sending a specially crafted DNS query over mDNS, requiring no privileges, user interaction, or special conditions (CVSS:3.1 score of 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation overflows the stack buffer, potentially allowing remote code execution on the affected device.
The OpenWrt security advisory (GHSA-mpgh-v658-jqv5) and release notes confirm the issue has been addressed in versions 24.10.6 and 25.12.1, available at the respective GitHub release pages. Security practitioners should update affected OpenWrt installations to these versions to mitigate the risk.
Details
- CWE(s)