CVE-2026-48045
Received Received - Intake

Memory Exhaustion in Zeroconf via Truncated Queries

Vulnerability report for CVE-2026-48045, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.12, AsyncListener.handle_query_or_defer retained every truncated TC-bit incoming query, each up to _MAX_MSG_ABSOLUTE = 8966 bytes, in self._deferred[addr] and armed a per-address timer in self._timers[addr] without capping the per-address list or distinct addr keys, allowing unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to spoof sources, grow _deferred and _timers, and cause memory exhaustion and quadratic CPU burn. This issue is fixed in version 0.149.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
python zeroconf to 0.149.12 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Zeroconf (python-zeroconf before 0.149.12) allows an unauthenticated attacker on the local network to cause memory exhaustion by flooding the system with spoofed-source truncated mDNS queries. The issue stems from an unbounded deferred queue that retains every incoming truncated query in a per-address list without limits on entries or distinct source addresses.

Detection Guidance

Detecting this vulnerability requires monitoring for abnormal mDNS traffic patterns on UDP port 5353. Use tools like tcpdump or Wireshark to capture traffic: tcpdump -i any -n udp port 5353 -c 1000. Look for excessive truncated (TC-bit) queries from multiple spoofed sources. Check system memory usage and process CPU consumption for python-zeroconf or related services. High memory usage or CPU spikes during normal operation may indicate exploitation.

Impact Analysis

The vulnerability can lead to memory exhaustion (OOM kills) on constrained systems like Raspberry Pi-based Home Assistant deployments or cause event-loop starvation that disrupts other zeroconf functions. It may also result in quadratic CPU usage growth due to CPU-intensive deduplication checks running on every new query arrival.

Compliance Impact

This vulnerability primarily impacts availability by causing memory exhaustion or CPU starvation through spoofed mDNS queries. While not directly violating GDPR or HIPAA, such disruptions could lead to system downtime affecting data processing or access, potentially violating availability requirements under GDPR Article 32 or HIPAA Security Rule (45 CFR 164.308(a)(7)). Organizations must ensure systems remain operational to maintain compliance.

Mitigation Strategies

Upgrade python-zeroconf to version 0.149.12 or later immediately. If upgrading is not possible, restrict mDNS traffic to trusted network segments using firewall rules. Block UDP port 5353 from untrusted sources. Monitor system resources for memory exhaustion or CPU overload. Consider disabling mDNS services if not required.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48045. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart