← Back

CVE-2025-50681

nvd nist
Published: Dec 19, 2025Modified: Jan 2, 2026

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Exploitability: 3.9 / Impact: 3.6
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a denial of service (application crash) via a crafted IGMPv3 membership report packet with a malicious source address. Due to insufficient validation in the `recv_igmp()` function in src/igmpproxy.c, an invalid group record type can trigger a NULL pointer dereference when logging the address using `inet_fmtsrc()`. This vulnerability can be exploited by sending malformed multicast traffic to a host running igmpproxy, leading to a crash. igmpproxy is used in various embedded networking environments and consumer-grade IoT devices (such as home routers and media gateways) to handle multicast traffic for IPTV and other streaming services. Affected devices that rely on unpatched versions of igmpproxy may be vulnerable to remote denial-of-service attacks across a LAN .

Affected (1)

Products: Pali: Igmpproxy
Pali
1 product
Igmpproxy
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Igmpproxy
Version 0.4

Related CWEs

CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

References (4)

Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
ExploitPatchIssue Tracking
Source: cve@mitre.org
Patch
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitPatchIssue Tracking

Timeline

No history available yet.