CVE-2026-48487
MEDIUM
5.3
CVSS 4.0
Description
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.16, _read_character_string and _read_string in src/zeroconf/_protocol/incoming.py advanced self.offset by attacker-declared RDLENGTH without checking it against self._data_len, allowing unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to send a TXT, HINFO, or A/AAAA record with rdlength=65535 and seed DNSCache and ServiceInfo.properties with truncated, attacker-shaped key/value or address records. This issue is fixed in version 0.149.16.
Metadata
Severity & Metrics
5.3
MEDIUM CVSS 4.0
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| python-zeroconf | python-zeroconf | — | < 0.149.16 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-130 | cna | CWE-130: Improper Handling of Length Parameter Inconsistency |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 5.3 | MEDIUM | 4.0 | cna | CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
References (5)
- https://github.com/python-zeroconf/python-zeroconf/security/advisories/GHSA-qc2x-6f54-m6h9 https://github.com/python-zeroconf/python-zeroconf/security/advisories/GHSA-qc2x-6f54-m6h9
- https://github.com/python-zeroconf/python-zeroconf/issues/1752 https://github.com/python-zeroconf/python-zeroconf/issues/1752
- https://github.com/python-zeroconf/python-zeroconf/pull/1756 https://github.com/python-zeroconf/python-zeroconf/pull/1756
- https://github.com/python-zeroconf/python-zeroconf/commit/544449596e645fcaad3834fa0cb614a54f847a82 https://github.com/python-zeroconf/python-zeroconf/commit/544449596e645fcaad3834fa0cb614a54f847a82
- https://github.com/python-zeroconf/python-zeroconf/releases/tag/0.149.16 https://github.com/python-zeroconf/python-zeroconf/releases/tag/0.149.16