14 matches found
CVE-2026-48487
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.16, readcharacterstring and readstring in src/zeroconf/protocol/incoming.py advanced self.offset by attacker-declared RDLENGTH without checking it against self.datalen, allowing unauthenticated hosts on th...
CVE-2026-48487
CVE-2026-48487 (python-zeroconf) : Prior to 0.149.16, _read_character_string and _read_string in zeroconf’s incoming protocol could advance the parser past the end of the payload by using attacker-declared RDLENGTH without checking against data length, enabling unauthenticated LAN-local hosts on ...
CVE-2026-48487 Zeroconf: Unvalidated rdlength in record payload readers allows LAN-local cache corruption via crafted mDNS packet
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.16, readcharacterstring and readstring in src/zeroconf/protocol/incoming.py advanced self.offset by attacker-declared RDLENGTH without checking it against self.datalen, allowing unauthenticated hosts on th...
CVE-2026-47183
CVE-2026-47183 - zeroconf (python-zeroconf) : Affected versions prior to 0.149.6 store an unbounded in-memory log of exceptions in DNSIncoming._log_exception_debug and QuietLogger dedup, retaining frame locals with raw packet data. This enables any unauthenticated LAN host on UDP/5353 (224.0.0.25...
PYSEC-2026-3438 zeroconf: Unvalidated rdlength in record payload readers allows LAN-local cache corruption via crafted mDNS packet
Impact readcharacterstring and readstring in src/zeroconf/protocol/incoming.py sliced self.dataself.offset : self.offset + length and advanced self.offset by the declared length without checking it against self.datalen. Python's slice silently returns fewer bytes when the end index runs past the...
python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood
ImpactAsyncListener.handlequeryordefer retained every truncated TC-bit incoming query in self.deferredaddr and armed a per-addr timer in self.timersaddr that flushed the reassembled query within 500 ms RFC 6762 §18.5. Neither the per-addr list nor the number of distinct addr keys was capped, and...
PYSEC-2026-3436 zeroconf has unbounded recursion in DNS compression-pointer decoder that allows LAN-local denial of service
Impact DNSIncoming.decodelabelsatoffset recurses once per DNS-name compression pointer RFC 1035 §4.1.4. Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single 3 kB mDNS packet carrying 1500 chained pointers drives the recursion past CPython'...
PYSEC-2026-3437 zeroconf: Unbounded exception-dedup state retains packet buffers via traceback frame locals, enabling LAN-local memory exhaustion
Impact DNSIncoming.logexceptiondebug and the four QuietLogger exception-dedup methods stored an unbounded seenlogs dict keyed by strsys.excinfo1. The seven IncomingDecodeError messages raised from readname / decodelabelsatoffset RFC 6762 §18 name-decoding error paths all embed self.source — the...
PT-2026-60048
Impact DNSCache. async add inserted every response record into cache, expirations, expire heap, and service cache with no cap on entry count. The only pre-existing protection was a PTR TTL floor DNS PTR MIN TTL = 1125 s, RFC 6762 §10, which actually prolonged attacker-injected records, and a...
autonet-computer (>=0.1.2 <=0.1.3), cir1-hldns (=1.6.14) +35 more potentially affected by CVE-2026-48487 via zeroconf (>=0.140.1 <=0.149.12)
zeroconf PYPI version =0.140.1, =0.1.2, =2025.2.0, =2026.5.0, =2026.5.0, =0.1.0, =3.0.0, =0.0.1, =1.0.0, =0.2.9, =0.6.0 - matrix-alt-cameras =0.0.1 and more Source cves: CVE-2026-48487 Source advisory: OSV:GHSA-QC2X-6F54-M6H9...
adb-wifi-qr (=0.2.0), autonet-computer (>=0.1.2 <=0.1.3) +77 more potentially affected by CVE-2026-48045 via zeroconf (>=0.102.0 <=0.148.0)
zeroconf PYPI version =0.102.0, =0.1.2, =0.4.3.0, =1.4.0, =0.3.0, =1.1.0, =0.0.11, =0.1.24, =0.2.6, =2023.9.0, =0.1.688, =0.1.754 and more Source cves: CVE-2026-48045 Source advisory: SNYK:PYTHON-ZEROCONF-17318192...
autonet-computer (>=0.1.2 <=0.1.3), cir1-hldns (=1.6.14) +35 more potentially affected by CVE-2026-48045 via zeroconf (>=0.140.1 <=0.148.0)
zeroconf PYPI version =0.140.1, =0.1.2, =2025.2.0, =2026.5.0, =2026.5.0, =0.1.0, =3.0.0, =0.0.1, =1.0.0, =0.2.9, =0.6.0 - matrix-alt-cameras =0.0.1 and more Source cves: CVE-2026-48045 Source advisory: OSV:GHSA-9663-MQMP-P9MM...
a2a-lite (>=0.1.0 <=0.2.2), adb-connect-qr (>=0.1.0 <=0.1.3) +568 more potentially affected by CVE-2026-47183 via zeroconf (>=0.140.1 <=0.149.3)
zeroconf PYPI version =0.140.1, =0.1.0, =0.1.0, =0.1.0, =1.0.2, =1.0.1, =0.0.1, =1.4.8, =2.6.28, =0.7.1, =0.0.1, =1.7.0, =0.2.38, =3.2.20 and more Source cves: CVE-2026-47183 Source advisory: OSV:GHSA-PHVX-9MGW-67R5...
a2a-lite (>=0.1.0 <=0.2.2), adb-connect-qr (>=0.1.0 <=0.1.3) +595 more potentially affected by CVE-2026-47183 via zeroconf (>=0.102.0 <=0.149.3)
zeroconf PYPI version =0.102.0, =0.1.0, =0.1.0, =0.1.0, =1.0.2, =1.0.1, =0.0.1, =1.4.8, =2.6.28, =0.7.1, =0.0.1, =1.7.0, =45.3.1 and more Source cves: CVE-2026-47183 Source advisory: SNYK:PYTHON-ZEROCONF-17111092...