CVE-2026-48045 in Zeroconfinformation

Résumé

par MITRE • 17/07/2026

Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.12, AsyncListener.handle_query_or_defer retained every truncated TC-bit incoming query, each up to _MAX_MSG_ABSOLUTE = 8966 bytes, in self._deferred[addr] and armed a per-address timer in self._timers[addr] without capping the per-address list or distinct addr keys, allowing unauthenticated hosts on the local link over UDP/5353 (224.0.0.251 / ff02::fb) to spoof sources, grow _deferred and _timers, and cause memory exhaustion and quadratic CPU burn. This issue is fixed in version 0.149.12.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Responsable

GitHub M

Réserver

20/05/2026

Divulgation

17/07/2026

Modérer

accepté

Entrée

VDB-379902

CPE

prêt

EPSS

0.00000

KEV

non

Activités

très faible

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!