OpenWrt Releases Critical Security Updates for mdnsd and Web Interface
Take action: If you are using OpenWrt, plan a quick update to block remote code execution via the DNS daemon. Until you update, disable multicast DNS or restrict access to the UDP 5353 interface to mitigate exploitation. And of course, make sure the Web admin interface is only accessible from trusted networks.
Learn More
The OpenWrt project released service updates 25.12.1 and 24.10.6 to address five security vulnerabilities, including two critical stack buffer overflows in the multicast DNS daemon (mdnsd).
The updates also resolve a high-severity cross-site scripting (XSS) issue in the web interface and several lower-risk bugs identified in the core system components.
Vulnerabilities summary:
- CVE-2026-30871 (CVSS score 9.5) - A stack buffer overflow in the mdnsd daemon's parse_question function triggered by malicious DNS PTR queries. The dn_expand function converts non-printable bytes into four-byte octal strings, causing the expanded name to exceed the 256-byte destination buffer during an unbounded strcpy operation. This allows unauthenticated attackers to run arbitrary code by sending crafted multicast DNS queries to UDP port 5353.
- CVE-2026-30872 (CVSS score 9.5) - A stack buffer overflow in the mdnsd daemon occurring during IPv6 reverse DNS lookups in the match_ipv6_addresses function. The system fails to verify if the input data fits within the 46-byte INET6_ADDRSTRLEN buffer before extraction, leading to an out-of-bounds write. Attackers can exploit this flaw to gain system-level access through network-based requests.
- CVE-2026-32721 (CVSS score 8.6) - A cross-site scripting (XSS) vulnerability in the OpenWrt web interface's WiFi scan mode. The interface renders discovered SSIDs as raw HTML without filtering, allowing an attacker to run malicious scripts in an administrator's browser by broadcasting a specially named WiFi network.
- CVE-2026-30873 (CVSS score 2.4) - A low-severity vulnerability in the mdnsd component that poses minimal risk to system integrity.
- CVE-2026-30874 (CVSS score 1.8) - A low-severity vulnerability in the mdnsd component affecting specific daemon operations.
Successful exploitation of the critical mdnsd flaws grants attackers full control over the router, potentially leading to data interception, network redirection, or persistent malware installation. Because mdnsd listens on multicast addresses, these attacks can often be launched from the local network without authentication. The XSS flaw in the LuCI interface could allow an attacker to steal session cookies or change router configurations if an administrator views the WiFi scan results while a malicious SSID is present.
The vulnerabilities impact all OpenWrt installations prior to versions 24.10.6 and 25.12.1.
Users should immediately update their devices to OpenWrt version 24.10.6 or 25.12.1. If an immediate update is not possible, administrators should consider disabling the mdnsd service or blocking UDP port 5353 from untrusted sources.
