CVE-2026-48487 in Zeroconfinfo

Zusammenfassung

von MITRE • 17.07.2026

Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.16, _read_character_string and _read_string in src/zeroconf/_protocol/incoming.py advanced self.offset by attacker-declared RDLENGTH without checking it against self._data_len, allowing unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to send a TXT, HINFO, or A/AAAA record with rdlength=65535 and seed DNSCache and ServiceInfo.properties with truncated, attacker-shaped key/value or address records. This issue is fixed in version 0.149.16.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Zuständig

GitHub M

Reservieren

21.05.2026

Veröffentlichung

17.07.2026

Moderieren

akzeptiert

Eintrag

VDB-379906

CPE

bereit

EPSS

0.00000

KEV

nein

Aktivitäten

low

Quellen

Interested in the pricing of exploits?

See the underground prices here!