Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN326 _____________________________________________________________________ DATE : 23/03/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running OpenWrt versions prior to 24.10.6, 25.12.1. ===================================================================== https://github.com/openwrt/openwrt/security/advisories/GHSA-7c3j-f7w2-p8f6 https://github.com/openwrt/openwrt/security/advisories/GHSA-mpgh-v658-jqv5 https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934 _____________________________________________________________________ mdnsd: Stack buffer overflow in DNS PTR query Critical aparcar published GHSA-7c3j-f7w2-p8f6 Mar 19, 2026 Package OpenWrt Affected versions < 24.10.6 < 25.12.1 Patched versions 24.10.6 25.12.1 Description The mdns daemon contains a stack buffer overflow vulnerability in the parse_question function when processing PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). The vulnerability is reachable through normal DNS packet processing when the daemon receives multicast DNS queries on UDP port 5353. DNS packets are first processed by dns_handle_packet, which validates and processes the packets in dns_consume_name. This function calls dn_expand to expand the queried domain into the fixed-sized global buffer, name_buffer, which holds 8096 bytes (MAX_NAME_LEN). The same global buffer is then processed in the parse_question function, where different types of DNS queries are handled. For TYPE_PTR queries, the function checks if name_buffer ends with a reverse DNS suffix. When a match is found, it performs an unbounded strcpy from the potentially large expanded name in name_buffer into fixed 256-byte stack buffers. The issue is that when dn_expand encounters non-printable ASCII bytes (0x01, 0x02, …), it will convert the bytes to their octal representations. For example, the byte 0x01 would be converted to its octal counterpart, \001, which is 0x5C 0x30 0x30 0x31. As such, it is possible to forge a maliciously crafted DNS packet such that when it is expanded, it is much greater than the intended 256-byte stack buffer. Severity Critical 9.5/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity High Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity High Availability High Subsequent System Impact Metrics Confidentiality High Integrity High Availability High CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE ID CVE-2026-30871 Weaknesses No CWEs Credits @axelm-tob axelm-tob Reporter @aparcar aparcar Coordinator @KanjiMonster KanjiMonster Remediation developer _____________________________________________________________________ mdnsd: Stack buffer overflow in IPv6 reverse DNS lookup Critical aparcar published GHSA-mpgh-v658-jqv5 Mar 19, 2026 Package OpenWrt Affected versions < 24.10.6 < 25.12.1 Patched versions 24.10.6 25.12.1 Description The mdns daemon contains a stack buffer overflow vulnerability in the match_ipv6_addresses function when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa). The vulnerability is reachable through normal DNS packet processing when the daemon receives multicast DNS queries on UDP port 5353. The global buffer name_buffer, which holds the expanded domain after the call to dns_consume_name, is processed in the parse_question function, where different DNS query types are handled. For TYPE_PTR queries, dns_consume_name checks if name_buffer ends with a reverse DNS suffix. If a match is found, the strcpy operation is performed from name_buffer into a fixed 256-byte stack buffer with the IPv6 reverse DNS suffix being excluded. The resultant buffer is then processed by dns_reply_reverse_ip6_mapping, which calls match_ipv6_addresses. In the match_ipv6_addresses function, the reverse IPv6 request is extracted into a buffer of length INET6_ADDRSTRLEN (46). Since the length of the data in the 256-byte buffer is not checked before extracting the IPv6 address, it is possible for the data to be larger than 46 bytes, leading to an out-of-bounds (OOB) write Severity Critical 9.5/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity High Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity High Availability High Subsequent System Impact Metrics Confidentiality High Integrity High Availability High CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE ID CVE-2026-30872 Weaknesses No CWEs Credits @axelm-tob axelm-tob Analyst @aparcar aparcar Coordinator @KanjiMonster KanjiMonster Remediation developer _____________________________________________________________________ jsonpath: Memory leak when processing strings, labels, and regexp tokens Low aparcar published GHSA-rcc6-v4r6-gj4m Mar 19, 2026 Package OpenWrt Affected versions < 24.10.6 < 25.12.1 Patched versions 24.10.6 25.12.1 Description The jp_get_token function is part of the lexical analysis phase, which breaks input expressions into individual tokens for subsequent parsing. During tokenization, the library extracts and stores string literals, field labels, and regular expressions, which involves dynamic memory allocation to handle variable-length text content. The extraction results are stored in the jp_opcode struct, which is later transferred to a new jp_opcode object in the jp_alloc_op function. If a string was previously extracted to an initial jp_opcode object, the string will be copied to the new allocation, without freeing the previous one, leading to a memory leak. Severity Low 2.4/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Adjacent Attack Complexity Low Attack Requirements None Privileges Required High User interaction Active Vulnerable System Impact Metrics Confidentiality None Integrity None Availability Low Subsequent System Impact Metrics Confidentiality None Integrity None Availability None CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE ID CVE-2026-30873 Weaknesses No CWEs Credits @axelm-tob axelm-tob Reporter @aparcar aparcar Coordinator _____________________________________________________________________ procd: Command execution via PATH environment variable filter bypass Low aparcar published GHSA-jw28-hxcm-j934 Mar 19, 2026 Package OpenWrt Affected versions < 24.10.6 Patched versions 24.10.6 Description procd executes scripts located in /etc/hotplug.d when certain events happen on a system, and can be invoked via the call ubus method. The hotplug_call function is responsible for handling these invocations and will perform environment variable filtering and processing during execution. One of the environment variables that is filtered out is the PATH variable, but because of the use of strcmp rather than strncmp, the variable is not excluded. Instead of comparing the first four characters of the environment variable to PATH, the full string is compared, and the variable is therefore not skipped. As such, it may be possible to specify an arbitrary PATH variable in order to perform privilege escalation. References Fix: http://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81 Severity Low 1.8/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Local Attack Complexity Low Attack Requirements Present Privileges Required High User interaction None Vulnerable System Impact Metrics Confidentiality Low Integrity Low Availability None Subsequent System Impact Metrics Confidentiality None Integrity None Availability None CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE ID CVE-2026-30874 Weaknesses No CWEs Credits @axelm-tob axelm-tob Reporter @aparcar aparcar Coordinator @dangowrt dangowrt Remediation developer ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================