Memory Exhaustion Vulnerability in Zeroconf by Python
CVE-2026-48045

6.5MEDIUM

Key Information:

Vendor
CVE Published:
17 July 2026

What is CVE-2026-48045?

The Zeroconf library, a Python implementation of multicast DNS service discovery, contains a vulnerability where it improperly handles truncated incoming queries. Before version 0.149.12, the AsyncListener.handle_query_or_defer method could retain an unlimited number of truncated queries, leading to potential memory exhaustion and increased CPU usage. This flaw allows unauthenticated local users to manipulate the network and could result in denial of service due to resource exhaustion. This issue has been resolved in version 0.149.12, which imposes limits on the retention of queries to enhance stability and security.

Affected Version(s)

python-zeroconf < 0.149.12

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.