Skip to main content

Red Hat CVE-2026-34933

MEDIUM
Reachable Assertion (CWE-617)
2026-04-03 GitHub_M
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Apr 03, 2026 - 23:15 vuln.today
CVE Published
Apr 03, 2026 - 22:43 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.

AnalysisAI

Denial of service in Avahi prior to version 0.9-rc4 allows local unprivileged users to crash avahi-daemon by sending a D-Bus method call with conflicting publish flags. The vulnerability requires local access and low privileges but causes immediate service unavailability. No public exploit code or active exploitation has been confirmed; however, the attack is trivial to execute given the low complexity barrier.

Technical ContextAI

Avahi is a mDNS/DNS-SD service discovery daemon commonly deployed on Linux systems. The vulnerability exists in the D-Bus interface exposed by avahi-daemon, which processes service publication requests. The root cause is classified as CWE-617 (Reachable Assertion), indicating that the daemon fails to properly validate conflicting publish flag combinations before processing them, resulting in an unhandled assertion or crash. The affected product spans all Avahi versions prior to 0.9-rc4, as identified by CPE cpe:2.3:a:avahi:avahi:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patch: Avahi 0.9-rc4 and later versions contain the fix. Users should upgrade avahi-daemon to version 0.9-rc4 or a later stable release when available. The upstream fix is documented in GitHub PR #891 and commit 625ca0fac19229f6dfa3a6c6b698ae657187e50c. Until patching is possible, restrict D-Bus method call access to avahi-daemon to trusted users via D-Bus policy configuration, though this may impact legitimate service discovery functionality. See the security advisory at https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc for complete details.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

CVE-2026-34933 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy