CVE-2018-3985
Description
An exploitable double free vulnerability exists in the mdnscap binary of the CUJO Smart Firewall. When parsing mDNS packets, a memory space is freed twice if an invalid query name is encountered, leading to arbitrary code execution in the context of the mdnscap process. An unauthenticated attacker can send an mDNS message to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Double free vulnerability in CUJO Smart Firewall's mdnscap allows unauthenticated remote code execution via crafted mDNS packet.
Vulnerability
A double free vulnerability exists in the mdnscap binary of the CUJO Smart Firewall (firmware version 7003). When parsing mDNS packets, if an invalid query name is encountered during memory management, a memory region is freed twice. This occurs due to improper handling of malformed mDNS query names in the packet parsing routine. The vulnerability is reachable without any special configuration; the mdnscap process listens for mDNS traffic on the network.
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a specially crafted mDNS message over the local network to the target device. No prior authentication or special network position is required beyond being able to send mDNS packets to the CUJO Smart Firewall. The attacker simply crafts an mDNS packet containing an invalid query name that triggers the double free condition when parsed by mdnscap.
Impact
Successful exploitation leads to arbitrary code execution within the context of the mdnscap process. The CVSSv3 score of 8.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L) indicates a serious vulnerability with a changed scope, potentially allowing an attacker to compromise the device's security and gain limited access to confidentiality, integrity, and availability.
Mitigation
No official fix or patched firmware version has been disclosed in the available reference [1]. Users are advised to monitor vendor updates for a security patch. As of the advisory publication date (2019-03-21), no mitigation is provided.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing pointer re-initialization after free in parse_mdns_records allows a second free of the same heap buffer when a subsequent DNS name parse fails."
Attack vector
An unauthenticated attacker sends a crafted mDNS packet (UDP port 5353) to the target network. The packet must have QR=1 (response) and TC=0 (not truncated) in the DNS header [ref_id=1]. By including an invalid DNS name label—such as a label with a length byte that causes an out-of-bounds read—the attacker causes `dns_parse_name` to fail [ref_id=1]. This triggers the double-free code path in `parse_mdns_records`, leading to arbitrary code execution in the context of the `mdnscap` process [CWE-415].
Affected code
The vulnerability resides in the `parse_mdns_records` function of the `mdnscap` binary. The function loops over DNS section entries, calling `dns_parse_name` [ref_id=1] and `dns_parse_qr` [ref_id=1] to allocate heap buffers for the query name and query data. When either parsing call fails, execution jumps to a cleanup path that unconditionally frees both `query_name` and `query_qr` [ref_id=1], even though these pointers may already have been freed in a previous loop iteration or may be uninitialized.
What the fix does
The advisory does not include a patch or remediation code. The recommended fix would be to reset `query_name` and `query_qr` to NULL after freeing them at the end of each loop iteration [ref_id=1], or to restructure the error-handling path so that it only frees pointers that were successfully allocated during the current iteration. Without such a change, the cleanup code at [23] will free already-freed pointers on subsequent loop iterations when a parsing failure occurs [ref_id=1].
Preconditions
- networkAttacker must be able to send a UDP packet to port 5353 on the network where the CUJO Smart Firewall is monitoring.
- inputThe mDNS packet must have QR=1 (response) and TC=0 (not truncated) in the DNS header.
- inputThe packet must contain at least two entries in a section, with the second entry having an invalid DNS name label (e.g., a length byte causing an out-of-bounds read).
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2018-0653mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.