Lucene search
K

3 matches found

Github Security Blog
Github Security Blog
added 2026/05/29 8:18 p.m.21 views

zeroconf has unbounded DNS record cache that allows LAN-local memory exhaustion via multicast flood

Impact DNSCache.asyncadd inserted every response record into cache, expirations, expireheap, and servicecache with no cap on entry count. The only pre-existing protection was a PTR TTL floor DNSPTRMINTTL = 1125 s, RFC 6762 §10, which actually prolonged attacker-injected records, and a periodic...

5.8AI score0.00023EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/05/29 8:13 p.m.10 views

Allocation of Resources Without Limits or Throttling

Overview zeroconf is a Pure Python Multicast DNS Service Discovery Library Bonjour/Avahi compatible Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the DNSIncoming.logexceptiondebug function and the exception-deduplication, which stores...

7.1CVSS5.8AI score0.0002EPSS
Exploits0References2
OSV
OSV
added 2026/05/29 8:13 p.m.9 views

GHSA-PHVX-9MGW-67R5 zeroconf: Unbounded exception-dedup state retains packet buffers via traceback frame locals, enabling LAN-local memory exhaustion

Impact DNSIncoming.logexceptiondebug and the four QuietLogger exception-dedup methods stored an unbounded seenlogs dict keyed by strsys.excinfo1. The seven IncomingDecodeError messages raised from readname / decodelabelsatoffset RFC 6762 §18 name-decoding error paths all embed self.source — the...

6.5CVSS5.8AI score0.0002EPSS
Exploits0References4
Rows per page
Query Builder