CVE-2021-3502

low-risk
Published 2021-05-07

A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.

Do I need to act?

-
0.03% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Avahi

Affected Vendors

Avahi

References (4)

Exploit https://bugzilla.redhat.com/show_bug.cgi?id=1946914
Exploit https://github.com/lathiat/avahi/issues/338
Exploit https://bugzilla.redhat.com/show_bug.cgi?id=1946914
Exploit https://github.com/lathiat/avahi/issues/338
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal