Vulnerability in Zeroconf Multicast DNS Service Discovery Affects Python Implementation
CVE-2026-48487

5.3MEDIUM

Key Information:

Vendor
CVE Published:
17 July 2026

What is CVE-2026-48487?

The Zeroconf library, a pure Python implementation of multicast DNS service discovery, is vulnerable to improper input validation. In versions prior to 0.149.16, the methods _read_character_string and _read_string in the source code allowed for the self.offset to be advanced based on an attacker-defined RDLENGTH, without adequate checks against the length of the data received. This flaw permits unauthenticated local links to send malicious TXT, HINFO, or A/AAAA records over UDP/5353, potentially allowing attackers to manipulate cached data with truncated records, thereby compromising the integrity of service discovery on affected systems. This vulnerability has been addressed in version 0.149.16.

Affected Version(s)

python-zeroconf < 0.149.16

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.