100 matches found
CVE-2026-47184
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.7, DNSCache.asyncadd inserted every response record into cache, expirations, expireheap, and servicecache without a cap, allowing unauthenticated hosts on the local link over UDP/5353 224.0.0.251 / ff02::f...
CVE-2026-48045
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.12, AsyncListener.handlequeryordefer retained every truncated TC-bit incoming query, each up to MAXMSGABSOLUTE = 8966 bytes, in self.deferredaddr and armed a per-address timer in self.timersaddr without...
CVE-2026-47183
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.6, DNSIncoming.logexceptiondebug and the four QuietLogger exception-dedup methods stored an unbounded seenlogs dictionary keyed by attacker-influenced IncomingDecodeError messages, retaining sys.excinfo...
CVE-2026-48487
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.16, readcharacterstring and readstring in src/zeroconf/protocol/incoming.py advanced self.offset by attacker-declared RDLENGTH without checking it against self.datalen, allowing unauthenticated hosts on th...
CVE-2026-47180
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.5, DNSIncoming.decodelabelsatoffset recurses once per DNS-name compression pointer, and a single mDNS packet carrying chained pointers can trigger a RecursionError that escapes DNSIncoming.init, causing...
CVE-2026-48487
CVE-2026-48487 (python-zeroconf) : Prior to 0.149.16, _read_character_string and _read_string in zeroconf’s incoming protocol could advance the parser past the end of the payload by using attacker-declared RDLENGTH without checking against data length, enabling unauthenticated LAN-local hosts on ...
CVE-2026-48487 Zeroconf: Unvalidated rdlength in record payload readers allows LAN-local cache corruption via crafted mDNS packet
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.16, readcharacterstring and readstring in src/zeroconf/protocol/incoming.py advanced self.offset by attacker-declared RDLENGTH without checking it against self.datalen, allowing unauthenticated hosts on th...
CVE-2026-48045 Zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.12, AsyncListener.handlequeryordefer retained every truncated TC-bit incoming query, each up to MAXMSGABSOLUTE = 8966 bytes, in self.deferredaddr and armed a per-address timer in self.timersaddr without...
CVE-2026-48045 Zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.12, AsyncListener.handlequeryordefer retained every truncated TC-bit incoming query, each up to MAXMSGABSOLUTE = 8966 bytes, in self.deferredaddr and armed a per-address timer in self.timersaddr without...
CVE-2026-48045
The CVE-2026-48045 issue affects python-zeroconf (Zeroconf Pure Python) where AsyncListener.handle_query_or_defer retains every truncated TC-bit mDNS query per source in self._deferred[addr] and arms per-address timers in self._timers[addr]. This unbounded queue growth on LAN-local hosts (UDP/535...
CVE-2026-47184
CVE-2026-47184 affects the python-zeroconf project. DNSCache._async_add can insert every response record into cache, expirations, expire_heap, and service_cache without a cap, enabling unauthenticated LAN hosts on UDP/5353 (224.0.0.251 / ff02::fb) to multicast valid mDNS responses with unique nam...
CVE-2026-47183
CVE-2026-47183 - zeroconf (python-zeroconf) : Affected versions prior to 0.149.6 store an unbounded in-memory log of exceptions in DNSIncoming._log_exception_debug and QuietLogger dedup, retaining frame locals with raw packet data. This enables any unauthenticated LAN host on UDP/5353 (224.0.0.25...
CVE-2026-47183 Zeroconf: Unbounded exception-dedup state retains packet buffers via traceback frame locals, enabling LAN-local memory exhaustion
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.6, DNSIncoming.logexceptiondebug and the four QuietLogger exception-dedup methods stored an unbounded seenlogs dictionary keyed by attacker-influenced IncomingDecodeError messages, retaining sys.excinfo...
CVE-2026-47180 Zeroconf: Unbounded recursion in DNS compression-pointer decoder allows LAN-local denial of service
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.5, DNSIncoming.decodelabelsatoffset recurses once per DNS-name compression pointer, and a single mDNS packet carrying chained pointers can trigger a RecursionError that escapes DNSIncoming.init, causing...
CVE-2026-47180
CVE-2026-47180 affects the Zeroconf Python library. The vulnerability stems from DNSIncoming._decode_labels_at_offset recursing for each DNS-name compression pointer; a crafted mDNS packet with ~1500 chained pointers can cause unbounded recursion, escaping DNSIncoming.init and triggering sustaine...
zeroconf: Unvalidated rdlength in record payload readers allows LAN-local cache corruption via crafted mDNS packet
Impactreadcharacterstring and readstring in src/zeroconf/protocol/incoming.py sliced self.dataself.offset : self.offset + length and advanced self.offset by the declared length without checking it against self.datalen. Python's slice silently returns fewer bytes when the end index runs past the...
PYSEC-2026-3438 zeroconf: Unvalidated rdlength in record payload readers allows LAN-local cache corruption via crafted mDNS packet
Impact readcharacterstring and readstring in src/zeroconf/protocol/incoming.py sliced self.dataself.offset : self.offset + length and advanced self.offset by the declared length without checking it against self.datalen. Python's slice silently returns fewer bytes when the end index runs past the...
python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood
ImpactAsyncListener.handlequeryordefer retained every truncated TC-bit incoming query in self.deferredaddr and armed a per-addr timer in self.timersaddr that flushed the reassembled query within 500 ms RFC 6762 §18.5. Neither the per-addr list nor the number of distinct addr keys was capped, and...
PYSEC-2026-3435 python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood
Impact AsyncListener.handlequeryordefer retained every truncated TC-bit incoming query in self.deferredaddr and armed a per-addr timer in self.timersaddr that flushed the reassembled query within 500 ms RFC 6762 §18.5. Neither the per-addr list nor the number of distinct addr keys was capped, and...
zeroconf has unbounded DNS record cache that allows LAN-local memory exhaustion via multicast flood
ImpactDNSCache.asyncadd inserted every response record into cache, expirations, expireheap, and servicecache with no cap on entry count. The only pre-existing protection was a PTR TTL floor DNSPTRMINTTL = 1125 s, RFC 6762 §10, which actually prolonged attacker-injected records, and a periodic...