What is the CVSS score of CVE-2025-5688?

CVE-2025-5688 has a CVSS 4.0 base score of 7.5 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. EPSS exploitation probability: 0.0%.

Which versions of DNS are affected by CVE-2025-5688?

CVE-2025-5688 is a local privilege escalation vulnerability in DNS name processing (LLMNR/mDNS) that allows attackers with local system access to execute arbitrary code through crafted queries,…. A patch is available.

How to fix or mitigate CVE-2025-5688?

Within 24 hours: Identify all systems running LLMNR or mDNS with Buffer Allocation Scheme 1 enabled using network discovery tools; prioritize multi-user systems and shared infrastructure. Within 7 days: Apply vendor-released patch to all affected systems; disable LLMNR/mDNS on systems where these protocols are not operationally required. Within 30 days: Conduct privilege access review on systems that remained unpatched; audit local account provisioning policies to limit unnecessary local access vectors.

DNS CVE-2025-5688

EUVD-2025-16897 HIGH

Out-of-bounds Write (CWE-787)

2025-06-04 ff89ba41-3aa1-4d27-914a-91399e9639e5

Buffer Overflow Denial Of Service DNS

7.5

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:45 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

4.3.2

EUVD ID Assigned

Mar 14, 2026 - 17:29 euvd

EUVD-2025-16897

Analysis Generated

Mar 14, 2026 - 17:29 vuln.today

CVE Published

Jun 04, 2025 - 17:15 nvd

HIGH 7.5

DescriptionNVD

We have identified a buffer overflow issue allowing out-of-bounds write when processing LLMNR or mDNS queries with very long DNS names. This issue only affects systems using Buffer Allocation Scheme 1 with LLMNR or mDNS enabled.

Users should upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes.

AnalysisAI

Buffer overflow vulnerability (CWE-787: Out-of-bounds Write) in DNS name processing affecting systems running LLMNR or mDNS with Buffer Allocation Scheme 1 enabled. An attacker with local access can trigger out-of-bounds writes by crafting LLMNR/mDNS queries with excessively long DNS names, potentially achieving code execution or system compromise. The vulnerability requires local access (AV:L) but no user interaction or authentication, making it a significant privilege escalation vector on multi-user systems.

Technical ContextAI

This vulnerability exists in the DNS name processing logic for LLMNR (Link-Local Multicast Name Resolution, RFC 4795) and mDNS (Multicast DNS, RFC 6762) implementations. The root cause is improper bounds checking in buffer allocation and write operations (CWE-787: Out-of-bounds Write) when handling DNS domain names that exceed expected length constraints. Systems using 'Buffer Allocation Scheme 1'—a specific memory allocation strategy—are vulnerable due to insufficient validation of DNS name lengths before writing to allocated buffers. The vulnerability is triggered during query processing, suggesting the flaw exists in the DNS packet parsing or name decompression routines. This affects network stack implementations across Windows, Linux, and potentially other operating systems that implement these DNS protocols natively or through third-party libraries.

RemediationAI

Immediate actions: (1) Upgrade to the latest patched version of affected software (vendor advisories required for specific version numbers); (2) Verify Buffer Allocation Scheme in use—organizations using Scheme 2 or later are unaffected and can deprioritize patching; (3) Disable LLMNR and mDNS on systems where not required (Windows: Group Policy 'Turn off multicast name resolution', Linux: systemctl disable systemd-resolved/avahi-daemon); (4) Restrict local user account creation on critical systems to reduce privilege escalation vectors; (5) Implement address space layout randomization (ASLR) and control-flow guard protections to complicate exploitation; (6) Monitor for DNS-related crashes or memory protection violations in system logs. Workarounds include network segmentation to limit untrusted local access and disabling DNS services entirely where LAN name resolution is not essential. Derivative code and forked projects must apply patches independently as noted in the advisory.

CVE-2025-5688 vulnerability details – vuln.today

Back