Intel

AIKIDO-2026-433367

zeroconf is vulnerable to Uncontrolled Resource Consumption

Uncontrolled Resource Consumption Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

50

Medium Risk

This Affects:

PYTHONzeroconf
0.32.0 - 0.149.8
Fixed in 0.149.9
Are you affected? Scan for Free

TL;DR

The QuestionHistory that implements RFC 6762 duplicate-question suppression stored every distinct incoming question in an unbounded dictionary through add_question_at_time, relying only on a periodic expiry sweep to drop stale entries. An unauthenticated peer on the local link can flood the mDNS listener with distinct questions faster than the periodic cleanup runs, growing the history without bound between sweeps. On memory-constrained deployments this can exhaust process memory and cause an out-of-memory denial of service. The fix caps the history at a fixed number of entries and evicts expired or oldest entries once the cap is reached.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

zeroconf is vulnerable to Uncontrolled Resource Consumption in versions 0.32.0 - 0.149.8.

How to fix this

Upgrade the zeroconf library to the patch version.