CVE-2026-47184 in Zeroconf
Summary
by MITRE • 07/17/2026
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.7, DNSCache._async_add inserted every response record into cache, _expirations, _expire_heap, and service_cache without a cap, allowing unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to multicast valid mDNS responses with unique names and cause memory exhaustion, slower cache lookups, slower async_expire passes, and broken discovery, registration, and ServiceBrowser callbacks. This issue is fixed in version 0.149.7.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability described represents a critical memory exhaustion flaw in the Zeroconf library's multicast DNS service discovery implementation, affecting versions prior to 0149.7. This issue resides in the DNSCache._async_add method which fails to implement proper cache size limitations when processing incoming multicast DNS responses. The flaw allows any unauthenticated host on the local network segment to exploit UDP port 5353 using the multicast address 224.0.0.251 (IPv4) or ff02::fb (IPv6) to send valid mDNS responses containing unique service names. The absence of cache capacity controls means that each incoming response record is unconditionally added to multiple internal data structures including the main cache, expiration tracking, heap-based expiration queue, and service cache collections without any upper bounds enforcement.
The technical impact of this vulnerability extends beyond simple resource consumption to fundamentally disrupt the normal operation of mDNS discovery mechanisms. Attackers can systematically fill the memory caches with numerous unique records, causing significant performance degradation through slower cache lookup times and extended asynchronous expiration processing cycles. This memory exhaustion directly affects core Zeroconf functionality including service discovery, registration processes, and ServiceBrowser callback operations which rely on efficient cache management for proper operation. The vulnerability essentially enables a denial-of-service condition that compromises the availability and responsiveness of network service discovery capabilities.
From a cybersecurity perspective, this vulnerability aligns with CWE-400 which addresses "Uncontrolled Resource Consumption" and exhibits characteristics consistent with resource exhaustion attacks that can be classified under ATT&CK technique T1499.2 for "Resource Hijacking". The attack vector leverages the inherent trust model of local network multicast communications where hosts on the same segment are implicitly trusted to participate in service discovery without authentication requirements. This flaw demonstrates a critical design oversight in implementing proper bounds checking and resource management within the DNS cache implementation, particularly when handling untrusted input from potentially malicious network participants.
The mitigation strategy requires immediate deployment of Zeroconf version 0.149.7 or later which implements proper cache size limitations and cap enforcement for all internal cache collections. Organizations should also consider implementing network segmentation controls to limit multicast traffic exposure where possible, though the primary defense remains the patched library implementation. Security monitoring should include detection of unusual cache growth patterns and service discovery performance degradation that could indicate exploitation attempts. Additionally, administrators should ensure proper version control practices are maintained across all systems utilizing Zeroconf for service discovery to prevent deployment of vulnerable library versions in production environments.