PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47184 python-zeroconf CVE debrief

Zeroconf, a pure Python implementation of multicast DNS service discovery, has a vulnerability prior to version 0.149.7. The DNSCache._async_add function inserted every response record into cache, _expirations, _expire_heap, and service_cache without a cap. This allowed unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to multicast valid mDNS responses with unique names, causing memory exhaustion, slower cache lookups, slower async_expire passes, and broken discovery, registration, and ServiceBrowser callbacks. The issue is fixed in version 0.149.7. Evidence basis indicates that defenders should prioritize updates and monitor for potential issues.

Vendor
python-zeroconf
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Zeroconf, particularly those using versions prior to 0.149.7, should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 0.149.7 or later, and monitoring for potential memory exhaustion and performance issues. Affected operator, platform, vulnerability-management, and security-team impact may occur if not addressed.

Technical summary

The vulnerability in Zeroconf allows unauthenticated hosts on the local link to cause memory exhaustion and performance issues by multicasting valid mDNS responses with unique names. This is due to the DNSCache._async_add function inserting every response record into cache, _expirations, _expire_heap, and service_cache without a cap. The issue is fixed in version 0.149.7. Affected product deployments may experience slower cache lookups, slower async_expire passes, and broken discovery, registration, and ServiceBrowser callbacks. Defensive impact includes prioritizing updates to version 0.149.7 or later, and monitoring for potential issues.

Defensive priority

Medium

Recommended defensive actions

  • Update Zeroconf to version 0.149.7 or later
  • Monitor for potential memory exhaustion and performance issues
  • Implement rate limiting on mDNS responses
  • Verify cache and expiration settings
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The vulnerability is described in the CVE record and the NVD detail page. The fix is available in version 0.149.7 of Zeroconf. Evidence limits suggest that affected deployments may exist in managed environments, particularly those using versions prior to 0.149.7. Defenders should verify cache and expiration settings, and monitor for potential memory exhaustion and performance issues. Limited source detail indicates that further review of compensating controls and vendor guidance is necessary.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T19:17:15.440Z and has not been modified since then.