Listen to this Post
How CVE-2026-48487 Works
The vulnerability exists in the `_read_character_string` and `_read_string` functions within src/zeroconf/_protocol/incoming.py. These functions are responsible for parsing incoming mDNS packet payloads. During parsing, they slice `self.data[self.offset : self.offset + length]` and advance `self.offset` by the declared length, but they fail to check this length against the total buffer size self._data_len.
Python’s slice operation silently returns fewer bytes when the end index exceeds the buffer length. An attacker can exploit this by sending a single mDNS response packet containing a record (TXT, HINFO, or A/AAAA) that advertises an `rdlength` of 65535 (the maximum 16-bit value per RFC 1035 §3.2.1) but provides only a handful of actual payload bytes.
When the parser processes this crafted record, it constructs the record from the truncated payload and appends it to DNSIncoming._answers, committing it to the cache before any later parse failure is detected. The subsequent `_read_name` call for the next record will fail, but by then the corrupt record has already been propagated to `DNSCache` and ServiceInfo.
Any unauthenticated host on the local link can multicast this malicious response over UDP/5353 to `224.0.0.251` or ff02::fb. Consumers calling `ServiceInfo.properties` will parse the truncated bytes as if they were valid wire data, and downstream integrations (such as Home Assistant and other zeroconf-driven discovery systems) will trust the decoded record.
This is a parser-state desynchronization bug rather than remote code execution. However, it allows an attacker to seed the cache with attacker-controlled key/value and address records for the duration of the TTL window, serving as a building block for higher-impact attack chains. The impact is considered lower than other recently released advisories as there is no additional risk of Out-of-Memory (OOM) conditions. The severity was manually set to Low to override the CVSS score of 6.5 (Medium), which does not fully account for the mDNS threat model.
DailyCVE Form
Platform: pypi:zeroconf
Version: < 0.149.16
Vulnerability: Cache Corruption
Severity: Low
date: 2026-05-29
Prediction: 2026-06-05
What Undercode Say
Check installed version pip show zeroconf Upgrade to patched version pip install --upgrade zeroconf>=0.149.16
Analytics:
- CVE ID: CVE-2026-48487
- GHSA ID: GHSA-qc2x-6f54-m6h9
- Fixed in: zeroconf 0.149.16 (PR 1756)
- Original target: 0.149.13 (blocked by PyPI space issue)
- Attack Vector: Adjacent Network (AV:A)
- Attack Complexity: Low (AC:L)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Scope: Unchanged (S:U)
- Confidentiality Impact: None (C:N)
- Integrity Impact: High (I:H)
- Availability Impact: None (A:N)
- CVSS Base Score: 6.5 (Medium)
Exploit
An attacker on the same local link can exploit this vulnerability by:
1. Crafting a malicious mDNS response containing a TXT, HINFO, or A/AAAA record.
2. Setting the RDLENGTH field to 65535 while providing only a few bytes of actual payload.
3. Multicasting the packet to `224.0.0.251` (IPv4) or `ff02::fb` (IPv6) over UDP/5353.
4. The vulnerable parser will silently truncate the payload and append the corrupt record to the answer list.
5. The record is committed to the cache before the subsequent parse failure occurs.
6. Downstream consumers (e.g., ServiceInfo.properties) trust the decoded, attacker-influenced data.
This attack requires no authentication and can be performed by any host on the same Layer-2 network segment, including a guest on the same Wi-Fi, a compromised IoT device, or a container on a shared bridge.
Protection
- Upgrade to zeroconf version >= 0.149.16 immediately.
- There is no in-process workaround; upgrading is the only fix.
- As a network-level mitigation, restrict mDNS (UDP/5353) to trusted Layer-2 segments via:
- AP client isolation
- Guest-network separation
- Host firewall rules
Impact
- Parser-state desynchronization allows corrupt records to enter the cache before parse failures are detected.
- Cache corruption with attacker-controlled key/value and address records for the TTL window.
- Trust violation in downstream integrations (Home Assistant, etc.) that rely on zeroconf-driven discovery.
- Building block for higher-impact attack chains.
- No remote code execution or OOM risk.
- Low severity (manual override of CVSS 6.5 Medium).
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
