CVE-2026-47183 in Zeroconf
Summary
by MITRE • 07/17/2026
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.6, DNSIncoming._log_exception_debug and the four QuietLogger exception-dedup methods stored an unbounded _seen_logs dictionary keyed by attacker-influenced IncomingDecodeError messages, retaining sys.exc_info() tracebacks whose frame locals kept raw packet self.data buffers and allowing unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to drive memory growth until mDNS-dependent features degrade or the process is OOM-killed. This issue is fixed in version 0.149.6.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability exists within the Zeroconf library's handling of multicast DNS service discovery implementations, specifically affecting versions prior to 0.149.6. This security flaw manifests through improper memory management in the DNSIncoming._log_exception_debug method and associated QuietLogger exception-deduplication functions. The core technical issue involves the unbounded growth of a _seen_logs dictionary that uses attacker-controlled IncomingDecodeError messages as keys, creating a persistent memory leak scenario that can be exploited by unauthorized network entities.
The vulnerability operates through a memory exhaustion attack vector where unauthenticated hosts on the local network can send malicious UDP packets to port 5353 using multicast addresses 224.0.0.251 or ff02::fb. These packets trigger the vulnerable code path that stores sys.exc_info() tracebacks containing raw packet data from self.data buffers within frame locals. This design flaw allows attackers to continuously feed malformed DNS packets that cause the _seen_logs dictionary to grow indefinitely, as each unique error message generates a new entry regardless of memory constraints.
The operational impact of this vulnerability extends beyond simple resource exhaustion to potentially compromise system stability and availability. Attackers can drive memory consumption to critical levels where mDNS-dependent services begin to degrade or fail entirely, ultimately leading to process termination through out-of-memory conditions. This affects systems relying on Zeroconf for service discovery, including printers, file servers, and other networked devices that depend on multicast DNS functionality.
This vulnerability maps directly to CWE-400, which addresses "Uncontrolled Resource Consumption" and specifically targets the improper handling of exception logging in network services. The attack pattern aligns with ATT&CK technique T1499.001, "Resource Hijacking: Network Denial of Service", as it enables attackers to consume system resources through legitimate network protocols. The flaw represents a classic case of insufficient input validation combined with improper resource management in network protocol handlers.
The mitigation strategy involves upgrading to Zeroconf version 0.149.6 or later, which implements bounded dictionary sizing for _seen_logs and removes the storage of raw packet data within exception tracebacks. Additional defensive measures include implementing network segmentation to limit access to multicast DNS ports, deploying rate limiting on UDP/5353 traffic, and monitoring memory consumption patterns in applications using Zeroconf libraries. System administrators should also consider implementing IDS/IPS rules that detect unusual patterns of mDNS traffic originating from unauthorized sources.
The root cause stems from inadequate defensive programming practices where exception handling code assumes unlimited memory availability for logging purposes. The design fails to account for the possibility that attacker-influenced inputs could be used to construct an unbounded number of unique dictionary keys, creating a resource exhaustion vulnerability that persists until system resources are exhausted. This represents a fundamental flaw in the library's approach to error handling and logging within network protocol implementations.
Security practitioners should note that this vulnerability demonstrates how seemingly benign logging functionality can become a critical security concern when combined with insufficient resource management controls. The fix implemented in version 0.149.6 specifically addresses the dictionary size limitation and removes the problematic storage of raw packet buffers, ensuring that even malicious inputs cannot cause indefinite memory growth through the exception handling pathways. Organizations should conduct vulnerability assessments to identify applications using affected versions of Zeroconf and implement appropriate patching schedules to maintain system security posture against such resource exhaustion attacks.