CVE-2026-48487 in Zeroconf
Summary
by MITRE • 07/17/2026
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.16, _read_character_string and _read_string in src/zeroconf/_protocol/incoming.py advanced self.offset by attacker-declared RDLENGTH without checking it against self._data_len, allowing unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to send a TXT, HINFO, or A/AAAA record with rdlength=65535 and seed DNSCache and ServiceInfo.properties with truncated, attacker-shaped key/value or address records. This issue is fixed in version 0.149.16.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability described represents a critical buffer overflow condition within the Zeroconf implementation that affects versions prior to 0149.16. This flaw exists in the DNS protocol parsing logic where the _read_character_string and _read_string functions fail to validate attacker-controlled RDLENGTH values against the actual data length before advancing the offset pointer. The affected code path processes incoming multicast DNS packets on the standard UDP port 5353, utilizing the multicast address 224.0.0.251 for IPv4 or ff02::fb for IPv6, making it accessible to any unauthenticated host within the local network segment.
The technical exploitation of this vulnerability relies on the fundamental principle that DNS record parsing should validate all length fields before processing data segments. In this case, the offset advancement occurs without proper bounds checking, allowing an attacker to specify an RDLENGTH value of 65535 bytes which exceeds normal DNS record sizes. This unchecked advancement results in memory corruption within the DNS cache structure and ServiceInfo.properties collection, where the attacker can inject malformed key/value pairs or address records that appear legitimate but are actually constructed with malicious intent. The vulnerability falls under CWE-129 Input Validation and CWE-787 Out-of-bounds Write categories, representing a classic case of insufficient bounds checking in network protocol parsing.
The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable several attack vectors within the local network environment. An attacker could manipulate service discovery results by injecting false TXT records containing misleading service properties or by spoofing A/AAAA records to redirect service lookups to malicious endpoints. This capability undermines the fundamental security assumptions of Zeroconf implementations, as it allows arbitrary hosts to influence service resolution and potentially redirect network traffic intended for legitimate services. The attack requires no authentication and operates within the standard multicast DNS communication model, making it particularly dangerous in environments where service discovery is used for critical infrastructure components.
The mitigation strategy involves upgrading to version 0.149.16 or later, which implements proper bounds checking on RDLENGTH values before advancing the parsing offset. This fix aligns with established security practices for network protocol implementations and follows the principle of least privilege in data processing. Organizations should also consider implementing network segmentation and access controls to limit exposure to untrusted hosts on local networks. Additionally, monitoring for unusual multicast DNS traffic patterns and implementing intrusion detection systems capable of identifying malformed DNS records can provide additional layers of defense. The vulnerability demonstrates the importance of proper input validation in protocol implementations and highlights the need for security testing of network services that operate at the link layer where authentication is not required.
This issue can be categorized under ATT&CK technique T1071.004 Application Layer Protocol: DNS, as it exploits the DNS protocol's parsing mechanisms to achieve unauthorized data manipulation. The vulnerability represents a classic example of how seemingly benign protocol features can become attack vectors when proper input validation is omitted, emphasizing the critical importance of defensive programming practices in security-sensitive code paths.