CVE-2026-48487
Received Received - Intake

Buffer Overflow in Zeroconf Python Library

Vulnerability report for CVE-2026-48487, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.16, _read_character_string and _read_string in src/zeroconf/_protocol/incoming.py advanced self.offset by attacker-declared RDLENGTH without checking it against self._data_len, allowing unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to send a TXT, HINFO, or A/AAAA record with rdlength=65535 and seed DNSCache and ServiceInfo.properties with truncated, attacker-shaped key/value or address records. This issue is fixed in version 0.149.16.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
zeroconf zeroconf to 0.149.16 (exc)
python-zeroconf zeroconf to 0.149.16 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-130 The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Zeroconf library, specifically versions before 0.149.16. It involves improper handling of the rdlength field in DNS packets, allowing attackers on the local network to send malformed mDNS responses. The functions _read_character_string and _read_string in incoming.py do not validate if the declared rdlength exceeds the available buffer, causing silent data truncation and potential cache corruption.

Detection Guidance

Monitor mDNS traffic on UDP port 5353 for malformed packets with unusually large rdlength values. Use tcpdump to capture traffic: tcpdump -i any -n udp port 5353 -w mdns_traffic.pcap. Inspect packets for records with rdlength=65535 or truncated payloads. Check Zeroconf logs for cache corruption errors or unexpected record formats.

Impact Analysis

An attacker could exploit this to inject corrupted DNS records into the cache, affecting applications relying on Zeroconf like Home Assistant. This may lead to incorrect data interpretation, desynchronization of record parsing, and potential cache poisoning, disrupting local network service discovery.

Compliance Impact

This vulnerability does not directly affect compliance with GDPR or HIPAA as it involves local network mDNS packet processing in the zeroconf library. However, if exploited, it could lead to cache poisoning or incorrect data interpretation in systems like Home Assistant, potentially impacting data integrity in environments subject to these regulations.

Mitigation Strategies

Upgrade python-zeroconf to version 0.149.16 or later. Restrict mDNS traffic to trusted local networks by configuring firewalls to block UDP/5353 from untrusted sources. Monitor affected systems for cache corruption or unexpected behavior after applying updates.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48487. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart