Excessive CPU Utilization in Zeroconf Multicast DNS Service Discovery
CVE-2026-47180
6.5MEDIUM
What is CVE-2026-47180?
The Zeroconf library, a Python-based implementation of multicast DNS service discovery, contains a vulnerability that allows for an excessive CPU utilization and potential disruptions. The flaw occurs in the DNSIncoming._decode_labels_at_offset function, which incorrectly handles DNS-name compression pointers, enabling a malicious mDNS packet with chained pointers to trigger a RecursionError. This error can lead to sustained CPU burn and log flooding, significantly impairing mDNS-dependent features for unauthenticated hosts on a local network. Users are encouraged to upgrade to version 0.149.5 or later to mitigate this issue. For further details and the fix, refer to the official advisory and release notes.
Affected Version(s)
python-zeroconf < 0.149.5
