GHSA-9663-mqmp-p9mm

Source

https://github.com/advisories/GHSA-9663-mqmp-p9mm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-9663-mqmp-p9mm/GHSA-9663-mqmp-p9mm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9663-mqmp-p9mm

Aliases

CVE-2026-48045

Published

2026-06-11T13:28:55Z

Modified

2026-06-11T13:45:20.282330810Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood

Details

Impact

AsyncListener.handle_query_or_defer retained every truncated (TC-bit) incoming query in self._deferred[addr] and armed a per-addr timer in self._timers[addr] that flushed the reassembled query within ~500 ms (RFC 6762 §18.5). Neither the per-addr list nor the number of distinct addr keys was capped, and the dedup check (for incoming in reversed(deferred): if incoming.data == msg.data) ran O(N) over the per-addr list on every arrival.

Any unauthenticated host on the local link (UDP/5353, 224.0.0.251 / ff02::fb) can stream byte-distinct TC-flagged mDNS queries — each up to _MAX_MSG_ABSOLUTE = 8966 bytes, with DNSIncoming retaining the raw data buffer plus parsed-record state. Trivially spoofed source IPs multiply the effect across _deferred / _timers, and the O(N) data compare burns CPU quadratically as each per-addr queue grows. On memory-constrained deployments (Home Assistant on Raspberry-Pi-class hardware is the canonical victim) sustained traffic OOM-kills the process; under lighter load, the per-arrival scan and event-loop scheduler starvation break unrelated zeroconf consumers (discovery, registration, ServiceBrowser callbacks).

Patches

Fixed in zeroconf 0.149.12 (PR #1751). Upgrade to >= 0.149.12.

Workarounds

There is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.

Resources

PR #1751, fix
RFC 6762 §18.5, CWE-400

Database specific

{
    "github_reviewed_at": "2026-06-11T13:28:55Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}

References

Affected packages

PyPI / zeroconf

Package

Name: zeroconf; View open source insights on deps.dev
Purl: pkg:pypi/zeroconf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.149.12

Affected versions

0.*

0.14

0.15

0.15.1

0.16.0

0.17.0

0.17.1

0.17.2

0.17.3

0.17.4

0.17.5

0.17.6

0.17.7

0.18.0

0.19.0

0.19.1

0.20.0

0.21.0

0.21.1

0.21.2

0.21.3

0.22.0

0.23.0

0.24.0

0.24.1

0.24.2

0.24.3

0.24.4

0.24.5

0.25.0

0.25.1

0.26.0

0.26.1

0.26.2

0.26.3

0.27.0

0.27.1

0.28.0

0.28.1

0.28.2

0.28.3

0.28.4

0.28.5

0.28.6

0.28.7

0.28.8

0.29.0

0.30.0

0.31.0

0.32.0

0.32.1

0.33.0

0.33.1

0.33.2

0.33.3

0.33.4

0.34.0

0.34.1

0.34.2

0.34.3

0.35.0

0.35.1

0.36.0

0.36.1

0.36.2

0.36.3

0.36.4

0.36.5

0.36.6

0.36.7

0.36.8

0.36.9

0.36.11

0.36.12

0.36.13

0.37.0

0.38.0

0.38.1

0.38.3

0.38.4

0.38.5

0.38.6

0.38.7

0.39.0

0.39.1

0.39.2

0.39.3

0.39.4

0.43.0

0.44.0

0.45.0

0.46.0

0.47.0

0.47.1

0.47.2

0.47.3

0.47.4

0.48.0

0.49.0

0.50.0

0.51.0

0.52.0

0.53.0

0.53.1

0.54.0

0.55.0

0.56.0

0.57.0

0.58.0

0.58.1

0.58.2

0.59.0

0.60.0

0.61.0

0.62.0

0.63.0

0.64.0

0.64.1

0.65.0

0.66.0

0.67.0

0.68.0

0.68.1

0.69.0

0.70.0

0.71.0

0.71.1

0.71.2

0.71.3

0.71.4

0.71.5

0.72.0

0.72.1

0.72.2

0.72.3

0.73.0

0.74.0

0.75.0

0.76.0

0.77.0

0.78.0

0.79.0

0.80.0

0.81.0

0.82.0

0.82.1

0.83.0

0.83.1

0.84.0

0.85.0

0.86.0

0.87.0

0.88.0

0.89.0

0.90.0

0.91.0

0.91.1

0.92.0

0.93.0

0.93.1

0.94.0

0.95.0

0.96.0

0.97.0

0.98.0

0.99.0

0.100.0

0.101.0

0.102.0

0.103.0

0.104.0

0.105.0

0.106.0

0.107.0

0.108.0

0.109.0

0.110.0

0.111.0

0.112.0

0.114.0

0.115.0

0.115.1

0.115.2

0.116.0

0.117.0

0.118.0

0.118.1

0.119.0

0.120.0

0.121.0

0.122.0

0.122.1

0.122.2

0.122.3

0.123.0

0.124.0

0.125.0

0.126.0

0.127.0

0.128.0

0.128.1

0.128.2

0.128.3

0.128.4

0.128.5

0.129.0

0.130.0

0.131.0

0.132.0

0.132.1

0.132.2

0.133.0

0.134.0

0.135.0

0.136.0

0.136.1

0.136.2

0.137.0

0.137.1

0.137.2

0.138.0

0.138.1

0.139.0

0.140.0

0.140.1

0.141.0

0.142.0

0.143.0

0.143.1

0.144.0

0.144.1

0.144.2

0.144.3

0.145.0

0.145.1

0.146.0

0.146.1

0.146.2

0.146.3

0.146.4

0.146.5

0.147.0

0.147.1

0.147.2

0.147.3

0.147.4

0.148.0

0.149.0

0.149.1

0.149.2

0.149.3

0.149.4

0.149.5

0.149.6

0.149.7

0.149.8

0.149.9

0.149.10

0.149.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-9663-mqmp-p9mm/GHSA-9663-mqmp-p9mm.json"