Memory Exhaustion Vulnerability in Zeroconf by Python
CVE-2026-48045
6.5MEDIUM
What is CVE-2026-48045?
The Zeroconf library, a Python implementation of multicast DNS service discovery, contains a vulnerability where it improperly handles truncated incoming queries. Before version 0.149.12, the AsyncListener.handle_query_or_defer method could retain an unlimited number of truncated queries, leading to potential memory exhaustion and increased CPU usage. This flaw allows unauthenticated local users to manipulate the network and could result in denial of service due to resource exhaustion. This issue has been resolved in version 0.149.12, which imposes limits on the retention of queries to enhance stability and security.
Affected Version(s)
python-zeroconf < 0.149.12
