Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    Related vulnerabilities

    GHSA-9663-MQMP-P9MM

    Vulnerability from github – Published: 2026-06-11 13:28 – Updated: 2026-06-11 13:28
    VLAI
    Summary
    python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood
    Details

    Impact

    AsyncListener.handle_query_or_defer retained every truncated (TC-bit) incoming query in self._deferred[addr] and armed a per-addr timer in self._timers[addr] that flushed the reassembled query within ~500 ms (RFC 6762 §18.5). Neither the per-addr list nor the number of distinct addr keys was capped, and the dedup check (for incoming in reversed(deferred): if incoming.data == msg.data) ran O(N) over the per-addr list on every arrival.

    Any unauthenticated host on the local link (UDP/5353, 224.0.0.251 / ff02::fb) can stream byte-distinct TC-flagged mDNS queries — each up to _MAX_MSG_ABSOLUTE = 8966 bytes, with DNSIncoming retaining the raw data buffer plus parsed-record state. Trivially spoofed source IPs multiply the effect across _deferred / _timers, and the O(N) data compare burns CPU quadratically as each per-addr queue grows. On memory-constrained deployments (Home Assistant on Raspberry-Pi-class hardware is the canonical victim) sustained traffic OOM-kills the process; under lighter load, the per-arrival scan and event-loop scheduler starvation break unrelated zeroconf consumers (discovery, registration, ServiceBrowser callbacks).

    Patches

    Fixed in zeroconf 0.149.12 (PR #1751). Upgrade to >= 0.149.12.

    Workarounds

    There is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.

    Resources

    Show details on source website

    {
      "affected": [
        {
          "package": {
            "ecosystem": "PyPI",
            "name": "zeroconf"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                },
                {
                  "fixed": "0.149.12"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ]
        }
      ],
      "aliases": [
        "CVE-2026-48045"
      ],
      "database_specific": {
        "cwe_ids": [
          "CWE-400",
          "CWE-770"
        ],
        "github_reviewed": true,
        "github_reviewed_at": "2026-06-11T13:28:55Z",
        "nvd_published_at": null,
        "severity": "MODERATE"
      },
      "details": "### Impact\n\n`AsyncListener.handle_query_or_defer` retained every truncated (TC-bit) incoming query in `self._deferred[addr]` and armed a per-addr timer in `self._timers[addr]` that flushed the reassembled query within ~500 ms (RFC 6762 \u00a718.5). Neither the per-addr list nor the number of distinct `addr` keys was capped, and the dedup check (`for incoming in reversed(deferred): if incoming.data == msg.data`) ran O(N) over the per-addr list on every arrival.\n\nAny unauthenticated host on the local link (UDP/5353, `224.0.0.251` / `ff02::fb`) can stream byte-distinct TC-flagged mDNS queries \u2014 each up to `_MAX_MSG_ABSOLUTE = 8966` bytes, with `DNSIncoming` retaining the raw `data` buffer plus parsed-record state. Trivially spoofed source IPs multiply the effect across `_deferred` / `_timers`, and the O(N) data compare burns CPU quadratically as each per-addr queue grows. On memory-constrained deployments (Home Assistant on Raspberry-Pi-class hardware is the canonical victim) sustained traffic OOM-kills the process; under lighter load, the per-arrival scan and event-loop scheduler starvation break unrelated zeroconf consumers (discovery, registration, ServiceBrowser callbacks).\n\n### Patches\n\nFixed in `zeroconf` 0.149.12 ([PR #1751](https://github.com/python-zeroconf/python-zeroconf/pull/1751)). Upgrade to `\u003e= 0.149.12`.\n\n### Workarounds\n\nThere is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.\n\n### Resources\n\n- [PR #1751](https://github.com/python-zeroconf/python-zeroconf/pull/1751), fix\n- [RFC 6762 \u00a718.5](https://www.rfc-editor.org/rfc/rfc6762#section-18.5), [CWE-400](https://cwe.mitre.org/data/definitions/400.html)",
      "id": "GHSA-9663-mqmp-p9mm",
      "modified": "2026-06-11T13:28:55Z",
      "published": "2026-06-11T13:28:55Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/python-zeroconf/python-zeroconf/security/advisories/GHSA-9663-mqmp-p9mm"
        },
        {
          "type": "WEB",
          "url": "https://github.com/python-zeroconf/python-zeroconf/pull/1751"
        },
        {
          "type": "WEB",
          "url": "https://github.com/python-zeroconf/python-zeroconf/commit/b22c8ff19c66c68907d220a4823c0950f4fa93f7"
        },
        {
          "type": "PACKAGE",
          "url": "https://github.com/python-zeroconf/python-zeroconf"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "type": "CVSS_V3"
        }
      ],
      "summary": "python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood"
    }

    PYSEC-2026-3435

    Vulnerability from pysec - Published: 2026-07-13 15:46 - Updated: 2026-07-13 16:07
    VLAI
    Details

    Impact

    AsyncListener.handle_query_or_defer retained every truncated (TC-bit) incoming query in self._deferred[addr] and armed a per-addr timer in self._timers[addr] that flushed the reassembled query within ~500 ms (RFC 6762 §18.5). Neither the per-addr list nor the number of distinct addr keys was capped, and the dedup check (for incoming in reversed(deferred): if incoming.data == msg.data) ran O(N) over the per-addr list on every arrival.

    Any unauthenticated host on the local link (UDP/5353, 224.0.0.251 / ff02::fb) can stream byte-distinct TC-flagged mDNS queries — each up to _MAX_MSG_ABSOLUTE = 8966 bytes, with DNSIncoming retaining the raw data buffer plus parsed-record state. Trivially spoofed source IPs multiply the effect across _deferred / _timers, and the O(N) data compare burns CPU quadratically as each per-addr queue grows. On memory-constrained deployments (Home Assistant on Raspberry-Pi-class hardware is the canonical victim) sustained traffic OOM-kills the process; under lighter load, the per-arrival scan and event-loop scheduler starvation break unrelated zeroconf consumers (discovery, registration, ServiceBrowser callbacks).

    Patches

    Fixed in zeroconf 0.149.12 (PR #1751). Upgrade to >= 0.149.12.

    Workarounds

    There is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.

    Resources

    Impacted products
    Name purl
    zeroconf pkg:pypi/zeroconf

    {
      "affected": [
        {
          "package": {
            "ecosystem": "PyPI",
            "name": "zeroconf",
            "purl": "pkg:pypi/zeroconf"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                },
                {
                  "fixed": "0.149.12"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "0.100.0",
            "0.101.0",
            "0.102.0",
            "0.103.0",
            "0.104.0",
            "0.105.0",
            "0.106.0",
            "0.107.0",
            "0.108.0",
            "0.109.0",
            "0.110.0",
            "0.111.0",
            "0.112.0",
            "0.114.0",
            "0.115.0",
            "0.115.1",
            "0.115.2",
            "0.116.0",
            "0.117.0",
            "0.118.0",
            "0.118.1",
            "0.119.0",
            "0.120.0",
            "0.121.0",
            "0.122.0",
            "0.122.1",
            "0.122.2",
            "0.122.3",
            "0.123.0",
            "0.124.0",
            "0.125.0",
            "0.126.0",
            "0.127.0",
            "0.128.0",
            "0.128.1",
            "0.128.2",
            "0.128.3",
            "0.128.4",
            "0.128.5",
            "0.129.0",
            "0.130.0",
            "0.131.0",
            "0.132.0",
            "0.132.1",
            "0.132.2",
            "0.133.0",
            "0.134.0",
            "0.135.0",
            "0.136.0",
            "0.136.1",
            "0.136.2",
            "0.137.0",
            "0.137.1",
            "0.137.2",
            "0.138.0",
            "0.138.1",
            "0.139.0",
            "0.14",
            "0.140.0",
            "0.140.1",
            "0.141.0",
            "0.142.0",
            "0.143.0",
            "0.143.1",
            "0.144.0",
            "0.144.1",
            "0.144.2",
            "0.144.3",
            "0.145.0",
            "0.145.1",
            "0.146.0",
            "0.146.1",
            "0.146.2",
            "0.146.3",
            "0.146.4",
            "0.146.5",
            "0.147.0",
            "0.147.1",
            "0.147.2",
            "0.147.3",
            "0.147.4",
            "0.148.0",
            "0.149.0",
            "0.149.1",
            "0.149.10",
            "0.149.11",
            "0.149.2",
            "0.149.3",
            "0.149.4",
            "0.149.5",
            "0.149.6",
            "0.149.7",
            "0.149.8",
            "0.149.9",
            "0.15",
            "0.15.1",
            "0.16.0",
            "0.17.0",
            "0.17.1",
            "0.17.2",
            "0.17.3",
            "0.17.4",
            "0.17.5",
            "0.17.6",
            "0.17.7",
            "0.18.0",
            "0.19.0",
            "0.19.1",
            "0.20.0",
            "0.21.0",
            "0.21.1",
            "0.21.2",
            "0.21.3",
            "0.22.0",
            "0.23.0",
            "0.24.0",
            "0.24.1",
            "0.24.2",
            "0.24.3",
            "0.24.4",
            "0.24.5",
            "0.25.0",
            "0.25.1",
            "0.26.0",
            "0.26.1",
            "0.26.2",
            "0.26.3",
            "0.27.0",
            "0.27.1",
            "0.28.0",
            "0.28.1",
            "0.28.2",
            "0.28.3",
            "0.28.4",
            "0.28.5",
            "0.28.6",
            "0.28.7",
            "0.28.8",
            "0.29.0",
            "0.30.0",
            "0.31.0",
            "0.32.0",
            "0.32.1",
            "0.33.0",
            "0.33.1",
            "0.33.2",
            "0.33.3",
            "0.33.4",
            "0.34.0",
            "0.34.1",
            "0.34.2",
            "0.34.3",
            "0.35.0",
            "0.35.1",
            "0.36.0",
            "0.36.1",
            "0.36.11",
            "0.36.12",
            "0.36.13",
            "0.36.2",
            "0.36.3",
            "0.36.4",
            "0.36.5",
            "0.36.6",
            "0.36.7",
            "0.36.8",
            "0.36.9",
            "0.37.0",
            "0.38.0",
            "0.38.1",
            "0.38.3",
            "0.38.4",
            "0.38.5",
            "0.38.6",
            "0.38.7",
            "0.39.0",
            "0.39.1",
            "0.39.2",
            "0.39.3",
            "0.39.4",
            "0.43.0",
            "0.44.0",
            "0.45.0",
            "0.46.0",
            "0.47.0",
            "0.47.1",
            "0.47.2",
            "0.47.3",
            "0.47.4",
            "0.48.0",
            "0.49.0",
            "0.50.0",
            "0.51.0",
            "0.52.0",
            "0.53.0",
            "0.53.1",
            "0.54.0",
            "0.55.0",
            "0.56.0",
            "0.57.0",
            "0.58.0",
            "0.58.1",
            "0.58.2",
            "0.59.0",
            "0.60.0",
            "0.61.0",
            "0.62.0",
            "0.63.0",
            "0.64.0",
            "0.64.1",
            "0.65.0",
            "0.66.0",
            "0.67.0",
            "0.68.0",
            "0.68.1",
            "0.69.0",
            "0.70.0",
            "0.71.0",
            "0.71.1",
            "0.71.2",
            "0.71.3",
            "0.71.4",
            "0.71.5",
            "0.72.0",
            "0.72.1",
            "0.72.2",
            "0.72.3",
            "0.73.0",
            "0.74.0",
            "0.75.0",
            "0.76.0",
            "0.77.0",
            "0.78.0",
            "0.79.0",
            "0.80.0",
            "0.81.0",
            "0.82.0",
            "0.82.1",
            "0.83.0",
            "0.83.1",
            "0.84.0",
            "0.85.0",
            "0.86.0",
            "0.87.0",
            "0.88.0",
            "0.89.0",
            "0.90.0",
            "0.91.0",
            "0.91.1",
            "0.92.0",
            "0.93.0",
            "0.93.1",
            "0.94.0",
            "0.95.0",
            "0.96.0",
            "0.97.0",
            "0.98.0",
            "0.99.0"
          ]
        }
      ],
      "aliases": [
        "CVE-2026-48045",
        "GHSA-9663-mqmp-p9mm"
      ],
      "details": "### Impact\n\n`AsyncListener.handle_query_or_defer` retained every truncated (TC-bit) incoming query in `self._deferred[addr]` and armed a per-addr timer in `self._timers[addr]` that flushed the reassembled query within ~500 ms (RFC 6762 \u00a718.5). Neither the per-addr list nor the number of distinct `addr` keys was capped, and the dedup check (`for incoming in reversed(deferred): if incoming.data == msg.data`) ran O(N) over the per-addr list on every arrival.\n\nAny unauthenticated host on the local link (UDP/5353, `224.0.0.251` / `ff02::fb`) can stream byte-distinct TC-flagged mDNS queries \u2014 each up to `_MAX_MSG_ABSOLUTE = 8966` bytes, with `DNSIncoming` retaining the raw `data` buffer plus parsed-record state. Trivially spoofed source IPs multiply the effect across `_deferred` / `_timers`, and the O(N) data compare burns CPU quadratically as each per-addr queue grows. On memory-constrained deployments (Home Assistant on Raspberry-Pi-class hardware is the canonical victim) sustained traffic OOM-kills the process; under lighter load, the per-arrival scan and event-loop scheduler starvation break unrelated zeroconf consumers (discovery, registration, ServiceBrowser callbacks).\n\n### Patches\n\nFixed in `zeroconf` 0.149.12 ([PR #1751](https://github.com/python-zeroconf/python-zeroconf/pull/1751)). Upgrade to `\u003e= 0.149.12`.\n\n### Workarounds\n\nThere is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.\n\n### Resources\n\n- [PR #1751](https://github.com/python-zeroconf/python-zeroconf/pull/1751), fix\n- [RFC 6762 \u00a718.5](https://www.rfc-editor.org/rfc/rfc6762#section-18.5), [CWE-400](https://cwe.mitre.org/data/definitions/400.html)",
      "id": "PYSEC-2026-3435",
      "modified": "2026-07-13T16:07:36.645444Z",
      "published": "2026-07-13T15:46:16.573699Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/python-zeroconf/python-zeroconf/security/advisories/GHSA-9663-mqmp-p9mm"
        },
        {
          "type": "WEB",
          "url": "https://github.com/python-zeroconf/python-zeroconf/pull/1751"
        },
        {
          "type": "WEB",
          "url": "https://github.com/python-zeroconf/python-zeroconf/commit/b22c8ff19c66c68907d220a4823c0950f4fa93f7"
        },
        {
          "type": "PACKAGE",
          "url": "https://github.com/python-zeroconf/python-zeroconf"
        },
        {
          "type": "PACKAGE",
          "url": "https://pypi.org/project/zeroconf"
        },
        {
          "type": "ADVISORY",
          "url": "https://github.com/advisories/GHSA-9663-mqmp-p9mm"
        },
        {
          "type": "ADVISORY",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48045"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "type": "CVSS_V3"
        }
      ],
      "summary": "python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood"
    }