CVE-2026-47184

MEDIUMPre-NVD 6.56.5

6.5

zeroconf has unbounded DNS record cache that allows LAN-local memory exhaustion via multicast flood

Impact

DNSCache._async_add inserted every response record into cache, _expirations, _expire_heap, and service_cache with no cap on entry count. The only pre-existing protection was a PTR TTL floor (_DNS_PTR_MIN_TTL = 1125 s, RFC 6762 §10), which actually *prolonged* attacker-injected records, and a periodic async_expire on _CACHE_CLEANUP_INTERVAL = 10 s that could not keep up with a flood.

Any unauthenticated host on the local link (UDP/5353, 224.0.0.251 / ff02::fb) can multicast valid mDNS responses with unique names (RFC 6762 §11 allows up to 253 bytes each) and watch them accumulate. On memory-constrained deployments (Home Assistant on Raspberry-Pi-class hardware is the canonical victim) sustained traffic OOM-kills the process; under lighter load, every cache lookup and every periodic expiry pass grows linearly slower, starving asyncio and breaking unrelated zeroconf consumers (discovery, registration, ServiceBrowser callbacks). A second variant — re-multicasting cached records with shifting TTLs — grows _expire_heap unbounded between cleanup runs without touching cache or _total_records.

Patches

Fixed in zeroconf 0.149.6 (PR #1718). Upgrade to >= 0.149.6.

Workarounds

There is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.

Resources

PR #1718, fix
Issue #1715, public tracking issue
RFC 6762 §10, RFC 6762 §11, CWE-400

CVSS v3: 6.5
EG Score: 6.5(low)
EPSS: —
KEV: Not listed

Published

May 29, 2026

Last Modified

May 29, 2026

Vendor Advisories for CVE-2026-47184(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-rfg2-pjw2-56x2
GitHub Security AdvisoriesMedium
zeroconf has unbounded DNS record cache that allows LAN-local memory exhaustion via multicast flood

Data Freshness Timeline

(refreshed 2× in last 7d / 2× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-06-01 00:41 UTCEG score recompute
2026-05-29 20:20 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-47184?

CVE-2026-47184 is a medium vulnerability published on May 29, 2026. zeroconf has unbounded DNS record cache that allows LAN-local memory exhaustion via multicast flood Impact DNSCache.asyncadd inserted every response record into cache, expirations, expireheap, and servicecache with no cap on entry count. The only pre-existing protection was a PTR TTL floor…

When was CVE-2026-47184 disclosed?

CVE-2026-47184 was first published in the National Vulnerability Database on May 29, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

What is the CVSS score of CVE-2026-47184?

CVE-2026-47184 has a CVSS v3 base score of 6.5 (NVD). The EG score is currently aggregating — additional source signals are being incorporated as they become available..

How do I remediate CVE-2026-47184?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47184, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47184

Explore →

Is Your Infrastructure Affected by CVE-2026-47184?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs