Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GHSA-9PGC-3CCV-5297
Vulnerability from github – Published: 2026-05-29 20:09 – Updated: 2026-05-29 20:09Impact
DNSIncoming._decode_labels_at_offset recurses once per DNS-name compression pointer (RFC 1035 §4.1.4). Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single ~3 kB mDNS packet carrying ~1500 chained pointers drives the recursion past CPython's default limit, and RecursionError was not listed in DECODE_EXCEPTIONS, so it escaped DNSIncoming.__init__ and was logged by asyncio's default exception handler.
Any unauthenticated host on the local link (UDP/5353, 224.0.0.251 / ff02::fb) can degrade the mDNS listener; that includes a guest on the same Wi-Fi, a compromised IoT device, or a container on a shared bridge. Replaying at a few hertz produces sustained CPU burn and log flooding, and mDNS-dependent features (HomeKit, Chromecast/Matter, AirPlay, printers) degrade while the attack is in flight.
Patches
Fixed in zeroconf 0.149.5 (PR #1719).
Upgrade to >= 0.149.5.
Workarounds
There is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.
Resources
- PR #1719, fix
- Issue #1713, public tracking issue
- RFC 1035 §4.1.4, RFC 6762, CWE-674
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "zeroconf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.149.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47180"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T20:09:52Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\n`DNSIncoming._decode_labels_at_offset` recurses once per DNS-name compression pointer (RFC 1035 \u00a74.1.4). Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single ~3 kB mDNS packet carrying ~1500 chained pointers drives the recursion past CPython\u0027s default limit, and `RecursionError` was not listed in `DECODE_EXCEPTIONS`, so it escaped `DNSIncoming.__init__` and was logged by asyncio\u0027s default exception handler.\n\nAny unauthenticated host on the local link (UDP/5353, `224.0.0.251` / `ff02::fb`) can degrade the mDNS listener; that includes a guest on the same Wi-Fi, a compromised IoT device, or a container on a shared bridge. Replaying at a few hertz produces sustained CPU burn and log flooding, and mDNS-dependent features (HomeKit, Chromecast/Matter, AirPlay, printers) degrade while the attack is in flight.\n\n### Patches\nFixed in `zeroconf` 0.149.5 ([PR #1719](https://github.com/python-zeroconf/python-zeroconf/pull/1719)).\nUpgrade to `\u003e= 0.149.5`.\n\n### Workarounds\nThere is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.\n\n### Resources\n- [PR #1719](https://github.com/python-zeroconf/python-zeroconf/pull/1719), fix\n- [Issue #1713](https://github.com/python-zeroconf/python-zeroconf/issues/1713), public tracking issue\n- [RFC 1035 \u00a74.1.4](https://www.rfc-editor.org/rfc/rfc1035#section-4.1.4), [RFC 6762](https://www.rfc-editor.org/rfc/rfc6762), [CWE-674](https://cwe.mitre.org/data/definitions/674.html)",
"id": "GHSA-9pgc-3ccv-5297",
"modified": "2026-05-29T20:09:52Z",
"published": "2026-05-29T20:09:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/security/advisories/GHSA-9pgc-3ccv-5297"
},
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/issues/1713"
},
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/pull/1719"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-zeroconf/python-zeroconf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "zeroconf has unbounded recursion in DNS compression-pointer decoder that allows LAN-local denial of service"
}
PYSEC-2026-3436
Vulnerability from pysec - Published: 2026-07-13 15:19 - Updated: 2026-07-13 16:07Impact
DNSIncoming._decode_labels_at_offset recurses once per DNS-name compression pointer (RFC 1035 §4.1.4). Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single ~3 kB mDNS packet carrying ~1500 chained pointers drives the recursion past CPython's default limit, and RecursionError was not listed in DECODE_EXCEPTIONS, so it escaped DNSIncoming.__init__ and was logged by asyncio's default exception handler.
Any unauthenticated host on the local link (UDP/5353, 224.0.0.251 / ff02::fb) can degrade the mDNS listener; that includes a guest on the same Wi-Fi, a compromised IoT device, or a container on a shared bridge. Replaying at a few hertz produces sustained CPU burn and log flooding, and mDNS-dependent features (HomeKit, Chromecast/Matter, AirPlay, printers) degrade while the attack is in flight.
Patches
Fixed in zeroconf 0.149.5 (PR #1719).
Upgrade to >= 0.149.5.
Workarounds
There is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.
Resources
- PR #1719, fix
- Issue #1713, public tracking issue
- RFC 1035 §4.1.4, RFC 6762, CWE-674
| Name | purl | zeroconf | pkg:pypi/zeroconf |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "zeroconf",
"purl": "pkg:pypi/zeroconf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.149.5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.100.0",
"0.101.0",
"0.102.0",
"0.103.0",
"0.104.0",
"0.105.0",
"0.106.0",
"0.107.0",
"0.108.0",
"0.109.0",
"0.110.0",
"0.111.0",
"0.112.0",
"0.114.0",
"0.115.0",
"0.115.1",
"0.115.2",
"0.116.0",
"0.117.0",
"0.118.0",
"0.118.1",
"0.119.0",
"0.120.0",
"0.121.0",
"0.122.0",
"0.122.1",
"0.122.2",
"0.122.3",
"0.123.0",
"0.124.0",
"0.125.0",
"0.126.0",
"0.127.0",
"0.128.0",
"0.128.1",
"0.128.2",
"0.128.3",
"0.128.4",
"0.128.5",
"0.129.0",
"0.130.0",
"0.131.0",
"0.132.0",
"0.132.1",
"0.132.2",
"0.133.0",
"0.134.0",
"0.135.0",
"0.136.0",
"0.136.1",
"0.136.2",
"0.137.0",
"0.137.1",
"0.137.2",
"0.138.0",
"0.138.1",
"0.139.0",
"0.14",
"0.140.0",
"0.140.1",
"0.141.0",
"0.142.0",
"0.143.0",
"0.143.1",
"0.144.0",
"0.144.1",
"0.144.2",
"0.144.3",
"0.145.0",
"0.145.1",
"0.146.0",
"0.146.1",
"0.146.2",
"0.146.3",
"0.146.4",
"0.146.5",
"0.147.0",
"0.147.1",
"0.147.2",
"0.147.3",
"0.147.4",
"0.148.0",
"0.149.0",
"0.149.1",
"0.149.2",
"0.149.3",
"0.149.4",
"0.15",
"0.15.1",
"0.16.0",
"0.17.0",
"0.17.1",
"0.17.2",
"0.17.3",
"0.17.4",
"0.17.5",
"0.17.6",
"0.17.7",
"0.18.0",
"0.19.0",
"0.19.1",
"0.20.0",
"0.21.0",
"0.21.1",
"0.21.2",
"0.21.3",
"0.22.0",
"0.23.0",
"0.24.0",
"0.24.1",
"0.24.2",
"0.24.3",
"0.24.4",
"0.24.5",
"0.25.0",
"0.25.1",
"0.26.0",
"0.26.1",
"0.26.2",
"0.26.3",
"0.27.0",
"0.27.1",
"0.28.0",
"0.28.1",
"0.28.2",
"0.28.3",
"0.28.4",
"0.28.5",
"0.28.6",
"0.28.7",
"0.28.8",
"0.29.0",
"0.30.0",
"0.31.0",
"0.32.0",
"0.32.1",
"0.33.0",
"0.33.1",
"0.33.2",
"0.33.3",
"0.33.4",
"0.34.0",
"0.34.1",
"0.34.2",
"0.34.3",
"0.35.0",
"0.35.1",
"0.36.0",
"0.36.1",
"0.36.11",
"0.36.12",
"0.36.13",
"0.36.2",
"0.36.3",
"0.36.4",
"0.36.5",
"0.36.6",
"0.36.7",
"0.36.8",
"0.36.9",
"0.37.0",
"0.38.0",
"0.38.1",
"0.38.3",
"0.38.4",
"0.38.5",
"0.38.6",
"0.38.7",
"0.39.0",
"0.39.1",
"0.39.2",
"0.39.3",
"0.39.4",
"0.43.0",
"0.44.0",
"0.45.0",
"0.46.0",
"0.47.0",
"0.47.1",
"0.47.2",
"0.47.3",
"0.47.4",
"0.48.0",
"0.49.0",
"0.50.0",
"0.51.0",
"0.52.0",
"0.53.0",
"0.53.1",
"0.54.0",
"0.55.0",
"0.56.0",
"0.57.0",
"0.58.0",
"0.58.1",
"0.58.2",
"0.59.0",
"0.60.0",
"0.61.0",
"0.62.0",
"0.63.0",
"0.64.0",
"0.64.1",
"0.65.0",
"0.66.0",
"0.67.0",
"0.68.0",
"0.68.1",
"0.69.0",
"0.70.0",
"0.71.0",
"0.71.1",
"0.71.2",
"0.71.3",
"0.71.4",
"0.71.5",
"0.72.0",
"0.72.1",
"0.72.2",
"0.72.3",
"0.73.0",
"0.74.0",
"0.75.0",
"0.76.0",
"0.77.0",
"0.78.0",
"0.79.0",
"0.80.0",
"0.81.0",
"0.82.0",
"0.82.1",
"0.83.0",
"0.83.1",
"0.84.0",
"0.85.0",
"0.86.0",
"0.87.0",
"0.88.0",
"0.89.0",
"0.90.0",
"0.91.0",
"0.91.1",
"0.92.0",
"0.93.0",
"0.93.1",
"0.94.0",
"0.95.0",
"0.96.0",
"0.97.0",
"0.98.0",
"0.99.0"
]
}
],
"aliases": [
"CVE-2026-47180",
"GHSA-9pgc-3ccv-5297"
],
"details": "### Impact\n\n`DNSIncoming._decode_labels_at_offset` recurses once per DNS-name compression pointer (RFC 1035 \u00a74.1.4). Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single ~3 kB mDNS packet carrying ~1500 chained pointers drives the recursion past CPython\u0027s default limit, and `RecursionError` was not listed in `DECODE_EXCEPTIONS`, so it escaped `DNSIncoming.__init__` and was logged by asyncio\u0027s default exception handler.\n\nAny unauthenticated host on the local link (UDP/5353, `224.0.0.251` / `ff02::fb`) can degrade the mDNS listener; that includes a guest on the same Wi-Fi, a compromised IoT device, or a container on a shared bridge. Replaying at a few hertz produces sustained CPU burn and log flooding, and mDNS-dependent features (HomeKit, Chromecast/Matter, AirPlay, printers) degrade while the attack is in flight.\n\n### Patches\nFixed in `zeroconf` 0.149.5 ([PR #1719](https://github.com/python-zeroconf/python-zeroconf/pull/1719)).\nUpgrade to `\u003e= 0.149.5`.\n\n### Workarounds\nThere is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.\n\n### Resources\n- [PR #1719](https://github.com/python-zeroconf/python-zeroconf/pull/1719), fix\n- [Issue #1713](https://github.com/python-zeroconf/python-zeroconf/issues/1713), public tracking issue\n- [RFC 1035 \u00a74.1.4](https://www.rfc-editor.org/rfc/rfc1035#section-4.1.4), [RFC 6762](https://www.rfc-editor.org/rfc/rfc6762), [CWE-674](https://cwe.mitre.org/data/definitions/674.html)",
"id": "PYSEC-2026-3436",
"modified": "2026-07-13T16:07:36.783034Z",
"published": "2026-07-13T15:19:14.415629Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/security/advisories/GHSA-9pgc-3ccv-5297"
},
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/issues/1713"
},
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/pull/1719"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-zeroconf/python-zeroconf"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/zeroconf"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-9pgc-3ccv-5297"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47180"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "zeroconf has unbounded recursion in DNS compression-pointer decoder that allows LAN-local denial of service"
}