Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GHSA-9663-MQMP-P9MM
Vulnerability from github – Published: 2026-06-11 13:28 – Updated: 2026-06-11 13:28Impact
AsyncListener.handle_query_or_defer retained every truncated (TC-bit) incoming query in self._deferred[addr] and armed a per-addr timer in self._timers[addr] that flushed the reassembled query within ~500 ms (RFC 6762 §18.5). Neither the per-addr list nor the number of distinct addr keys was capped, and the dedup check (for incoming in reversed(deferred): if incoming.data == msg.data) ran O(N) over the per-addr list on every arrival.
Any unauthenticated host on the local link (UDP/5353, 224.0.0.251 / ff02::fb) can stream byte-distinct TC-flagged mDNS queries — each up to _MAX_MSG_ABSOLUTE = 8966 bytes, with DNSIncoming retaining the raw data buffer plus parsed-record state. Trivially spoofed source IPs multiply the effect across _deferred / _timers, and the O(N) data compare burns CPU quadratically as each per-addr queue grows. On memory-constrained deployments (Home Assistant on Raspberry-Pi-class hardware is the canonical victim) sustained traffic OOM-kills the process; under lighter load, the per-arrival scan and event-loop scheduler starvation break unrelated zeroconf consumers (discovery, registration, ServiceBrowser callbacks).
Patches
Fixed in zeroconf 0.149.12 (PR #1751). Upgrade to >= 0.149.12.
Workarounds
There is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.
Resources
- PR #1751, fix
- RFC 6762 §18.5, CWE-400
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "zeroconf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.149.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48045"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-11T13:28:55Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\n`AsyncListener.handle_query_or_defer` retained every truncated (TC-bit) incoming query in `self._deferred[addr]` and armed a per-addr timer in `self._timers[addr]` that flushed the reassembled query within ~500 ms (RFC 6762 \u00a718.5). Neither the per-addr list nor the number of distinct `addr` keys was capped, and the dedup check (`for incoming in reversed(deferred): if incoming.data == msg.data`) ran O(N) over the per-addr list on every arrival.\n\nAny unauthenticated host on the local link (UDP/5353, `224.0.0.251` / `ff02::fb`) can stream byte-distinct TC-flagged mDNS queries \u2014 each up to `_MAX_MSG_ABSOLUTE = 8966` bytes, with `DNSIncoming` retaining the raw `data` buffer plus parsed-record state. Trivially spoofed source IPs multiply the effect across `_deferred` / `_timers`, and the O(N) data compare burns CPU quadratically as each per-addr queue grows. On memory-constrained deployments (Home Assistant on Raspberry-Pi-class hardware is the canonical victim) sustained traffic OOM-kills the process; under lighter load, the per-arrival scan and event-loop scheduler starvation break unrelated zeroconf consumers (discovery, registration, ServiceBrowser callbacks).\n\n### Patches\n\nFixed in `zeroconf` 0.149.12 ([PR #1751](https://github.com/python-zeroconf/python-zeroconf/pull/1751)). Upgrade to `\u003e= 0.149.12`.\n\n### Workarounds\n\nThere is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.\n\n### Resources\n\n- [PR #1751](https://github.com/python-zeroconf/python-zeroconf/pull/1751), fix\n- [RFC 6762 \u00a718.5](https://www.rfc-editor.org/rfc/rfc6762#section-18.5), [CWE-400](https://cwe.mitre.org/data/definitions/400.html)",
"id": "GHSA-9663-mqmp-p9mm",
"modified": "2026-06-11T13:28:55Z",
"published": "2026-06-11T13:28:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/security/advisories/GHSA-9663-mqmp-p9mm"
},
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/pull/1751"
},
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/commit/b22c8ff19c66c68907d220a4823c0950f4fa93f7"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-zeroconf/python-zeroconf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood"
}
PYSEC-2026-3435
Vulnerability from pysec - Published: 2026-07-13 15:46 - Updated: 2026-07-13 16:07Impact
AsyncListener.handle_query_or_defer retained every truncated (TC-bit) incoming query in self._deferred[addr] and armed a per-addr timer in self._timers[addr] that flushed the reassembled query within ~500 ms (RFC 6762 §18.5). Neither the per-addr list nor the number of distinct addr keys was capped, and the dedup check (for incoming in reversed(deferred): if incoming.data == msg.data) ran O(N) over the per-addr list on every arrival.
Any unauthenticated host on the local link (UDP/5353, 224.0.0.251 / ff02::fb) can stream byte-distinct TC-flagged mDNS queries — each up to _MAX_MSG_ABSOLUTE = 8966 bytes, with DNSIncoming retaining the raw data buffer plus parsed-record state. Trivially spoofed source IPs multiply the effect across _deferred / _timers, and the O(N) data compare burns CPU quadratically as each per-addr queue grows. On memory-constrained deployments (Home Assistant on Raspberry-Pi-class hardware is the canonical victim) sustained traffic OOM-kills the process; under lighter load, the per-arrival scan and event-loop scheduler starvation break unrelated zeroconf consumers (discovery, registration, ServiceBrowser callbacks).
Patches
Fixed in zeroconf 0.149.12 (PR #1751). Upgrade to >= 0.149.12.
Workarounds
There is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.
Resources
- PR #1751, fix
- RFC 6762 §18.5, CWE-400
| Name | purl | zeroconf | pkg:pypi/zeroconf |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "zeroconf",
"purl": "pkg:pypi/zeroconf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.149.12"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.100.0",
"0.101.0",
"0.102.0",
"0.103.0",
"0.104.0",
"0.105.0",
"0.106.0",
"0.107.0",
"0.108.0",
"0.109.0",
"0.110.0",
"0.111.0",
"0.112.0",
"0.114.0",
"0.115.0",
"0.115.1",
"0.115.2",
"0.116.0",
"0.117.0",
"0.118.0",
"0.118.1",
"0.119.0",
"0.120.0",
"0.121.0",
"0.122.0",
"0.122.1",
"0.122.2",
"0.122.3",
"0.123.0",
"0.124.0",
"0.125.0",
"0.126.0",
"0.127.0",
"0.128.0",
"0.128.1",
"0.128.2",
"0.128.3",
"0.128.4",
"0.128.5",
"0.129.0",
"0.130.0",
"0.131.0",
"0.132.0",
"0.132.1",
"0.132.2",
"0.133.0",
"0.134.0",
"0.135.0",
"0.136.0",
"0.136.1",
"0.136.2",
"0.137.0",
"0.137.1",
"0.137.2",
"0.138.0",
"0.138.1",
"0.139.0",
"0.14",
"0.140.0",
"0.140.1",
"0.141.0",
"0.142.0",
"0.143.0",
"0.143.1",
"0.144.0",
"0.144.1",
"0.144.2",
"0.144.3",
"0.145.0",
"0.145.1",
"0.146.0",
"0.146.1",
"0.146.2",
"0.146.3",
"0.146.4",
"0.146.5",
"0.147.0",
"0.147.1",
"0.147.2",
"0.147.3",
"0.147.4",
"0.148.0",
"0.149.0",
"0.149.1",
"0.149.10",
"0.149.11",
"0.149.2",
"0.149.3",
"0.149.4",
"0.149.5",
"0.149.6",
"0.149.7",
"0.149.8",
"0.149.9",
"0.15",
"0.15.1",
"0.16.0",
"0.17.0",
"0.17.1",
"0.17.2",
"0.17.3",
"0.17.4",
"0.17.5",
"0.17.6",
"0.17.7",
"0.18.0",
"0.19.0",
"0.19.1",
"0.20.0",
"0.21.0",
"0.21.1",
"0.21.2",
"0.21.3",
"0.22.0",
"0.23.0",
"0.24.0",
"0.24.1",
"0.24.2",
"0.24.3",
"0.24.4",
"0.24.5",
"0.25.0",
"0.25.1",
"0.26.0",
"0.26.1",
"0.26.2",
"0.26.3",
"0.27.0",
"0.27.1",
"0.28.0",
"0.28.1",
"0.28.2",
"0.28.3",
"0.28.4",
"0.28.5",
"0.28.6",
"0.28.7",
"0.28.8",
"0.29.0",
"0.30.0",
"0.31.0",
"0.32.0",
"0.32.1",
"0.33.0",
"0.33.1",
"0.33.2",
"0.33.3",
"0.33.4",
"0.34.0",
"0.34.1",
"0.34.2",
"0.34.3",
"0.35.0",
"0.35.1",
"0.36.0",
"0.36.1",
"0.36.11",
"0.36.12",
"0.36.13",
"0.36.2",
"0.36.3",
"0.36.4",
"0.36.5",
"0.36.6",
"0.36.7",
"0.36.8",
"0.36.9",
"0.37.0",
"0.38.0",
"0.38.1",
"0.38.3",
"0.38.4",
"0.38.5",
"0.38.6",
"0.38.7",
"0.39.0",
"0.39.1",
"0.39.2",
"0.39.3",
"0.39.4",
"0.43.0",
"0.44.0",
"0.45.0",
"0.46.0",
"0.47.0",
"0.47.1",
"0.47.2",
"0.47.3",
"0.47.4",
"0.48.0",
"0.49.0",
"0.50.0",
"0.51.0",
"0.52.0",
"0.53.0",
"0.53.1",
"0.54.0",
"0.55.0",
"0.56.0",
"0.57.0",
"0.58.0",
"0.58.1",
"0.58.2",
"0.59.0",
"0.60.0",
"0.61.0",
"0.62.0",
"0.63.0",
"0.64.0",
"0.64.1",
"0.65.0",
"0.66.0",
"0.67.0",
"0.68.0",
"0.68.1",
"0.69.0",
"0.70.0",
"0.71.0",
"0.71.1",
"0.71.2",
"0.71.3",
"0.71.4",
"0.71.5",
"0.72.0",
"0.72.1",
"0.72.2",
"0.72.3",
"0.73.0",
"0.74.0",
"0.75.0",
"0.76.0",
"0.77.0",
"0.78.0",
"0.79.0",
"0.80.0",
"0.81.0",
"0.82.0",
"0.82.1",
"0.83.0",
"0.83.1",
"0.84.0",
"0.85.0",
"0.86.0",
"0.87.0",
"0.88.0",
"0.89.0",
"0.90.0",
"0.91.0",
"0.91.1",
"0.92.0",
"0.93.0",
"0.93.1",
"0.94.0",
"0.95.0",
"0.96.0",
"0.97.0",
"0.98.0",
"0.99.0"
]
}
],
"aliases": [
"CVE-2026-48045",
"GHSA-9663-mqmp-p9mm"
],
"details": "### Impact\n\n`AsyncListener.handle_query_or_defer` retained every truncated (TC-bit) incoming query in `self._deferred[addr]` and armed a per-addr timer in `self._timers[addr]` that flushed the reassembled query within ~500 ms (RFC 6762 \u00a718.5). Neither the per-addr list nor the number of distinct `addr` keys was capped, and the dedup check (`for incoming in reversed(deferred): if incoming.data == msg.data`) ran O(N) over the per-addr list on every arrival.\n\nAny unauthenticated host on the local link (UDP/5353, `224.0.0.251` / `ff02::fb`) can stream byte-distinct TC-flagged mDNS queries \u2014 each up to `_MAX_MSG_ABSOLUTE = 8966` bytes, with `DNSIncoming` retaining the raw `data` buffer plus parsed-record state. Trivially spoofed source IPs multiply the effect across `_deferred` / `_timers`, and the O(N) data compare burns CPU quadratically as each per-addr queue grows. On memory-constrained deployments (Home Assistant on Raspberry-Pi-class hardware is the canonical victim) sustained traffic OOM-kills the process; under lighter load, the per-arrival scan and event-loop scheduler starvation break unrelated zeroconf consumers (discovery, registration, ServiceBrowser callbacks).\n\n### Patches\n\nFixed in `zeroconf` 0.149.12 ([PR #1751](https://github.com/python-zeroconf/python-zeroconf/pull/1751)). Upgrade to `\u003e= 0.149.12`.\n\n### Workarounds\n\nThere is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.\n\n### Resources\n\n- [PR #1751](https://github.com/python-zeroconf/python-zeroconf/pull/1751), fix\n- [RFC 6762 \u00a718.5](https://www.rfc-editor.org/rfc/rfc6762#section-18.5), [CWE-400](https://cwe.mitre.org/data/definitions/400.html)",
"id": "PYSEC-2026-3435",
"modified": "2026-07-13T16:07:36.645444Z",
"published": "2026-07-13T15:46:16.573699Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/security/advisories/GHSA-9663-mqmp-p9mm"
},
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/pull/1751"
},
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/commit/b22c8ff19c66c68907d220a4823c0950f4fa93f7"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-zeroconf/python-zeroconf"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/zeroconf"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-9663-mqmp-p9mm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48045"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood"
}