PatchSiren

python-zeroconf CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM python-zeroconf CVE published 2026-07-17

CVE-2026-48487

CVE-2026-48487 is a MEDIUM severity vulnerability in Zeroconf, a pure Python implementation of multicast DNS service discovery. The issue allows unauthenticated hosts on the local link to send truncated, attacker-shaped key/value or address records, potentially leading to information disclosure or service disruption. Affected product deployments should be reviewed, and owners assigned for follow-up.

MEDIUM python-zeroconf CVE published 2026-07-17

CVE-2026-48045

CVE-2026-48045 is a MEDIUM severity vulnerability in Zeroconf, a pure Python implementation of multicast DNS service discovery. The vulnerability allows unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to spoof sources, grow _deferred and _timers, and cause memory exhaustion and quadratic CPU burn. This issue is fixed in version 0.149.12. The vulnerability has a CVSS score of [truncated]

MEDIUM python-zeroconf CVE published 2026-07-17

CVE-2026-47184

Zeroconf, a pure Python implementation of multicast DNS service discovery, has a vulnerability prior to version 0.149.7. The DNSCache._async_add function inserted every response record into cache, _expirations, _expire_heap, and service_cache without a cap. This allowed unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to multicast valid mDNS responses with unique names, causi [truncated]

MEDIUM python-zeroconf CVE published 2026-07-17

CVE-2026-47183

CVE-2026-47183 is a MEDIUM severity vulnerability in Zeroconf, a pure Python implementation of multicast DNS service discovery. The vulnerability is caused by an unbounded _seen_logs dictionary in DNSIncoming._log_exception_debug and the four QuietLogger exception-dedup methods, which can be exploited by unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to drive memory growth [truncated]

MEDIUM python-zeroconf CVE published 2026-07-17

CVE-2026-47180

CVE-2026-47180 is a MEDIUM severity vulnerability in Zeroconf, a pure Python implementation of multicast DNS service discovery. The issue is caused by a recursion error in DNSIncoming._decode_labels_at_offset, which can lead to sustained CPU burn, log flooding, and degraded mDNS-dependent features for unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb). The vulnerability is fixe [truncated]