Note: Debian has fixed this in avahi 0.8-18 (unstable, 2026-02-01) alongside CVE-2025-68276, CVE-2025-68468, CVE-2025-68471, and CVE-2024-52616.
Ubuntu Noble currently has 0.8-13ubuntu6.1 which includes fixes for CVE-2025-68276/68468/68471 but NOT CVE-2026-24401. The attached debdiff adds only the CVE-2026-24401 fix on top of the current Noble package. Alternatively, the patch from Debian 0.8-18 could be used. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2146909 Title: CVE-2026-24401: avahi-daemon crash via recursive CNAME records (stack exhaustion) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/2146909/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
