CVE-2026-30871 in OpenWRT
Summary
by MITRE • 03/20/2026
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \001), significantly inflating the expanded name beyond the stack buffer's capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability identified as CVE-2026-30871 affects the OpenWrt Project's multicast dns daemon implementation, specifically targeting embedded Linux systems that rely on standard multicast DNS protocols for local network discovery. This issue exists within the mdns daemon's parse_question function where improper buffer handling creates a stack-based buffer overflow condition that can be exploited through crafted DNS packets. The vulnerability is particularly concerning because it operates within the standard UDP port 5353 used for multicast DNS communications, making it accessible through normal network operations without requiring special privileges or conditions.
The technical flaw stems from a fundamental mismatch between buffer allocation and data handling in the DNS packet processing pipeline. When the daemon receives DNS packets containing PTR queries for reverse DNS domains such as .in-addr.arpa and .ip6.arpa, the dn_expand function processes these queries by expanding them into a global 8096-byte buffer called name_buffer. This expansion process converts non-printable ASCII bytes into multi-character octal representations, causing significant data inflation. The inflated data is then copied using an unbounded strcpy operation into a fixed 256-byte stack buffer, creating the overflow condition that can be exploited by attackers to overwrite adjacent stack memory.
The operational impact of this vulnerability extends beyond simple denial of service scenarios, as the stack-based buffer overflow creates opportunities for arbitrary code execution within the context of the mdns daemon process. Attackers can craft malicious DNS packets that trigger the buffer overflow during normal multicast DNS packet processing, potentially allowing them to execute arbitrary code on affected devices. This represents a significant security risk for embedded network devices that rely on OpenWrt's multicast DNS functionality, as these devices often serve as network infrastructure components with elevated privileges. The vulnerability is particularly dangerous in environments where these devices operate as network gateways or routers, as exploitation could lead to complete system compromise and unauthorized network access.
This vulnerability aligns with CWE-121 Stack-based Buffer Overflow, which describes buffer overflows that occur when data is written beyond the bounds of a fixed-length buffer allocated on the stack. The ATT&CK framework categorizes this as a privilege escalation technique through code injection, as the overflow could enable attackers to execute malicious code within the privileged context of the mdns daemon. The exploitation requires minimal network access and can be performed through standard DNS packet delivery, making it particularly dangerous for devices that process multicast DNS traffic without proper input validation. The fix implemented in versions 24.10.6 and 25.12.1 addresses the core issue by implementing proper bounds checking and using safer string handling functions that prevent the unbounded copy operation from overflowing the stack buffer. Organizations should prioritize updating their OpenWrt installations to mitigate this vulnerability and protect their embedded network infrastructure from potential exploitation.