CVE-2026-48487 in Zeroconfالمعلومات

الملخص

بحسب MITRE • 17/07/2026

Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.16, _read_character_string and _read_string in src/zeroconf/_protocol/incoming.py advanced self.offset by attacker-declared RDLENGTH without checking it against self._data_len, allowing unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to send a TXT, HINFO, or A/AAAA record with rdlength=65535 and seed DNSCache and ServiceInfo.properties with truncated, attacker-shaped key/value or address records. This issue is fixed in version 0.149.16.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

مسؤول

GitHub M

حجز

21/05/2026

إفشاء

17/07/2026

الاعتدال

تمت الموافقة

إدخال

VDB-379906

EPSS

0.00000

KEV

لا

النشاطات

منخفض

المصادر

Want to stay up to date on a daily basis?

Enable the mail alert feature now!