Source: igmpproxy Version: 0.3-1 Severity: important Tags: security upstream Forwarded: https://github.com/pali/igmpproxy/issues/97 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for igmpproxy. CVE-2025-50681[0]: | igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause | a denial of service (application crash) via a crafted IGMPv3 | membership report packet with a malicious source address. Due to | insufficient validation in the `recv_igmp()` function in | src/igmpproxy.c, an invalid group record type can trigger a NULL | pointer dereference when logging the address using `inet_fmtsrc()`. | This vulnerability can be exploited by sending malformed multicast | traffic to a host running igmpproxy, leading to a crash. igmpproxy | is used in various embedded networking environments and consumer- | grade IoT devices (such as home routers and media gateways) to | handle multicast traffic for IPTV and other streaming services. | Affected devices that rely on unpatched versions of igmpproxy may be | vulnerable to remote denial-of-service attacks across a LAN . If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-50681 https://www.cve.org/CVERecord?id=CVE-2025-50681 [1] https://github.com/pali/igmpproxy/issues/97 [2] https://github.com/younix/igmpproxy/commit/2b30c36e6ab5b21defb76ec6458ab7687984484c Regards, Salvatore
