CVE-2024-52615
Published: November 19, 2024Last modified: August 6, 2025
Description
A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity impact | LOW |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Notes
There was a PR that look like a fix for this CVE that got merged a couple days ago, but other distros is slow to react to it as of Jun 24 2025: https://github.com/avahi/avahi/pull/662
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | avahi | Fixed (0.8-r8) |
| 25 LTS | avahi | Fixed (0.8-r21) | |
| Stream | avahi | Fixed (0.8-r21) |