PT-2026-60045 · Pypi · Zeroconf

Published

2026-07-13

·

Updated

2026-07-13

CVSS v3.1

6.5

Medium

VectorAV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact

DNSIncoming. decode labels at offset recurses once per DNS-name compression pointer (RFC 1035 §4.1.4). Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single ~3 kB mDNS packet carrying ~1500 chained pointers drives the recursion past CPython's default limit, and RecursionError was not listed in DECODE EXCEPTIONS, so it escaped DNSIncoming. init and was logged by asyncio's default exception handler.
Any unauthenticated host on the local link (UDP/5353, 224.0.0.251 / ff02::fb) can degrade the mDNS listener; that includes a guest on the same Wi-Fi, a compromised IoT device, or a container on a shared bridge. Replaying at a few hertz produces sustained CPU burn and log flooding, and mDNS-dependent features (HomeKit, Chromecast/Matter, AirPlay, printers) degrade while the attack is in flight.

Patches

Fixed in zeroconf 0.149.5 (PR #1719). Upgrade to >= 0.149.5.

Workarounds

There is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.

Resources

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-3436

Affected Products

Zeroconf