Avahi Avahi

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Avahi.

By the Year

In 2025 there have been 0 vulnerabilities in Avahi. Last year, in 2024 Avahi had 2 security vulnerabilities published. Right now, Avahi is on track to have less security vulnerabilities in 2025 than it did last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 2 5.30
2023 6 5.50
2022 0 0.00
2021 3 6.27
2020 0 0.00
2019 0 0.00
2018 0 0.00

It may take a day or so for new Avahi vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Avahi Security Vulnerabilities

Avahi-daemon DNS Transaction ID Predictability Vulnerability

CVE-2024-52616 5.3 - Medium - November 21, 2024

A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.

Small Space of Random Values

Avahi-daemon: Fixed Source Port Vulnerability in Wide-Area DNS Queries

CVE-2024-52615 5.3 - Medium - November 21, 2024

A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.

Use of Insufficiently Random Values

A vulnerability was found in Avahi

CVE-2023-38473 5.5 - Medium - November 02, 2023

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function.

assertion failure

A vulnerability was found in Avahi

CVE-2023-38472 5.5 - Medium - November 02, 2023

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function.

assertion failure

A vulnerability was found in Avahi

CVE-2023-38471 5.5 - Medium - November 02, 2023

A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function.

assertion failure

A vulnerability was found in Avahi

CVE-2023-38470 5.5 - Medium - November 02, 2023

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.

assertion failure

A vulnerability was found in Avahi

CVE-2023-38469 5.5 - Medium - November 02, 2023

A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.

assertion failure

A vulnerability was found in the avahi library

CVE-2023-1981 5.5 - Medium - May 26, 2023

A vulnerability was found in the avahi library. This flaw allows an unprivileged user to make a dbus call, causing the avahi daemon to crash.

Resource Exhaustion

A flaw was found in avahi in versions 0.6 up to 0.8

CVE-2021-3468 5.5 - Medium - June 02, 2021

A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.

Infinite Loop

A flaw was found in avahi 0.8-5

CVE-2021-3502 5.5 - Medium - May 07, 2021

A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.

NULL Pointer Dereference

avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and

CVE-2021-26720 7.8 - High - February 17, 2021

avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects the packaging for Debian GNU/Linux (used indirectly by SUSE), not the upstream Avahi product.

insecure temporary file

avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses

CVE-2017-6519 9.1 - Critical - May 01, 2017

avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive information from the responding device via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809.

Origin Validation Error

avahi-core/socket.c in avahi-daemon in Avahi before 0.6.29

CVE-2011-1002 - February 22, 2011

avahi-core/socket.c in avahi-daemon in Avahi before 0.6.29 allows remote attackers to cause a denial of service (infinite loop) via an empty mDNS (1) IPv4 or (2) IPv6 UDP packet to port 5353. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-2244.

Infinite Loop

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Debian Linux or by Avahi? Click the Watch button to subscribe.

Avahi
Vendor

Avahi
Product

subscribe