CVE-2026-47183
Received Received - Intake

Memory Exhaustion in Zeroconf via Unbounded Log Storage

Vulnerability report for CVE-2026-47183, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.6, DNSIncoming._log_exception_debug and the four QuietLogger exception-dedup methods stored an unbounded _seen_logs dictionary keyed by attacker-influenced IncomingDecodeError messages, retaining sys.exc_info() tracebacks whose frame locals kept raw packet self.data buffers and allowing unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to drive memory growth until mDNS-dependent features degrade or the process is OOM-killed. This issue is fixed in version 0.149.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
zeroconf zeroconf to 0.149.6 (exc)
python-zeroconf zeroconf to 0.149.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-47183 is a memory exhaustion vulnerability in the python-zeroconf library. It involves an unbounded dictionary called _seen_logs that stores tracebacks and raw packet data for every unique decode error. An attacker on the local network can send malformed packets to trigger IncomingDecodeError exceptions, causing the dictionary to grow indefinitely by creating unique error strings. Each entry retains the entire raw packet (up to 8966 bytes) and traceback, consuming significant memory over time.

Detection Guidance

Monitor memory usage on systems running python-zeroconf versions below 0.149.6. Check for unbounded growth in the _seen_logs dictionary by inspecting process memory and logs for repeated decode errors. Use tools like top, htop, or ps to track memory consumption over time.

Impact Analysis

This vulnerability can lead to memory exhaustion, causing the process to be terminated by the operating system (OOM-killed). It particularly affects memory-constrained systems like embedded devices running Home Assistant on a Raspberry Pi. Services dependent on mDNS, such as HomeKit, Chromecast, Matter, AirPlay, and printers, may become unavailable or degrade in performance.

Compliance Impact

This vulnerability primarily impacts availability by causing memory exhaustion, which could lead to service disruptions or crashes. While it does not directly expose or leak data, prolonged service unavailability may violate availability requirements in GDPR (Article 32) and HIPAA (Security Rule). Memory-constrained systems like embedded devices are particularly vulnerable.

Mitigation Strategies

Upgrade python-zeroconf to version 0.149.6 or later. If upgrading is not immediately possible, restrict mDNS traffic to trusted networks using network segmentation or firewall rules to block UDP/5353 from untrusted sources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47183. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart