PatchSiren cyber security CVE debrief
CVE-2026-47184 python-zeroconf CVE debrief
Zeroconf, a pure Python implementation of multicast DNS service discovery, has a vulnerability prior to version 0.149.7. The DNSCache._async_add function inserted every response record into cache, _expirations, _expire_heap, and service_cache without a cap. This allowed unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to multicast valid mDNS responses with unique names, causing memory exhaustion, slower cache lookups, slower async_expire passes, and broken discovery, registration, and ServiceBrowser callbacks. The issue is fixed in version 0.149.7. Evidence basis indicates that defenders should prioritize updates and monitor for potential issues.
- Vendor
- python-zeroconf
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of Zeroconf, particularly those using versions prior to 0.149.7, should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 0.149.7 or later, and monitoring for potential memory exhaustion and performance issues. Affected operator, platform, vulnerability-management, and security-team impact may occur if not addressed.
Technical summary
The vulnerability in Zeroconf allows unauthenticated hosts on the local link to cause memory exhaustion and performance issues by multicasting valid mDNS responses with unique names. This is due to the DNSCache._async_add function inserting every response record into cache, _expirations, _expire_heap, and service_cache without a cap. The issue is fixed in version 0.149.7. Affected product deployments may experience slower cache lookups, slower async_expire passes, and broken discovery, registration, and ServiceBrowser callbacks. Defensive impact includes prioritizing updates to version 0.149.7 or later, and monitoring for potential issues.
Defensive priority
Medium
Recommended defensive actions
- Update Zeroconf to version 0.149.7 or later
- Monitor for potential memory exhaustion and performance issues
- Implement rate limiting on mDNS responses
- Verify cache and expiration settings
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The vulnerability is described in the CVE record and the NVD detail page. The fix is available in version 0.149.7 of Zeroconf. Evidence limits suggest that affected deployments may exist in managed environments, particularly those using versions prior to 0.149.7. Defenders should verify cache and expiration settings, and monitor for potential memory exhaustion and performance issues. Limited source detail indicates that further review of compensating controls and vendor guidance is necessary.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T19:17:15.440Z and has not been modified since then.