Denial of Service Vulnerability in Avahi Service Discovery by Community
CVE-2025-59529

5.5MEDIUM

Key Information:

Vendor

Avahi

Status
Avahi
Vendor
CVE Published:
18 December 2025

What is CVE-2025-59529?

Avahi's service discovery system, which uses the mDNS/DNS-SD protocol suite, has a vulnerability in its simple protocol server that can lead to a local Denial of Service. The issue lies in its handling of client connections; despite having a defined limit on the number of clients (CLIENTS_MAX), the server accepts unlimited connections without checking this limit. This flaw allows unprivileged local users to exhaust the daemon's memory and file descriptors, creating a denial of service that affects the entire system's mDNS/DNS-SD functionality. The server's continuous error logging for overwhelmed connections contributes to increased system load. Although no patched versions are currently available, a candidate fix exists, and some workarounds can help mitigate the risk.

Affected Version(s)

avahi <= 0.9-rc2

References

https://github.com/avahi/avahi/security/advisories/GHSA-7...
x_refsource_CONFIRM
https://github.com/avahi/avahi/pull/808
x_refsource_MISC
https://zeropath.com/blog/avahi-simple-protocol-server-do...
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59529 : Denial of Service Vulnerability in Avahi Service Discovery by Community