CVE-2024-52616

Publication date 21 November 2024

Last updated 23 April 2026

Ubuntu priority

Cvss 3 Severity Score

Description

A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.

Read the notes from the security team

Why is this CVE low priority?

This is a low severity issue with a work-around

Learn more about Ubuntu priority

Mitigation

This issue can be mitigated by disabling wide-area DNS queries. This can be done by setting enable-wide-are=no in /etc/avahi/avahi-daemon.conf

Status

Show unmaintained releases

Package	Ubuntu Release	Status
avahi	26.04 LTS resolute	Not affected
	25.10 questing	Vulnerable
	25.04 plucky	Ignored end of life, was deferred
	24.10 oracular	Ignored end of life, was deferred
	24.04 LTS noble	Vulnerable
	22.04 LTS jammy	Vulnerable
	20.04 LTS focal	Vulnerable
	18.04 LTS bionic	Vulnerable
	16.04 LTS xenial	Vulnerable
	14.04 LTS trusty	Ignored end of ESM support, was needs-triage

Notes

mdeslaur

Upstream has disabled wide-area by default: https://github.com/avahi/avahi/pull/577 Another bug exists to track improving wide-area: https://github.com/avahi/avahi/issues/578 wide-are is disabled by default in 0.8-17

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
avahi	Upstream: https://github.com/avahi/avahi/pull/659 Upstream: f8710bd

Severity score breakdown

Parameter	Value
Base score	5.3 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N