Pure Python Multicast DNS Service Discovery Library (Bonjour/Avahi compatible)
Security Fix(es):
_read_character_string and _read_string in src/zeroconf/_protocol/incoming.py sliced self.data[self.offset : self.offset + length] and advanced self.offset by the declared length without checking it against self._data_len. Python's slice silently returns fewer bytes when the end index runs past the buffer, so a record whose 16-bit RDLENGTH (RFC 1035 ยง3.2.1) over-advertised by tens of kilobytes was constructed from a truncated payload, appended to DNSIncoming._answers, and committed to the cache before any later parse failure surfaced. Any unauthenticated host on the local link (UDP/5353, 224.0.0.251 / ff02::fb) can multicast a single mDNS response carrying a TXT, HINFO, or A/AAAA record that advertises rdlength=65535 and only a handful of real payload bytes; consumers calling ServiceInfo.properties then parse the truncated bytes as if they matched the wire, and downstream integrations (Home Assistant and other zeroconf-driven discovery) trust the decoded record. The bug is parser-state desync rather than RCE, but it seeds the cache with attacker-shaped key/value and address records for a TTL window and is a building block for higher-impact chains.(CVE-2026-48487)
{
"severity": "Medium"
}