{"schema_version":"1.7.2","id":"OESA-2026-2832","modified":"2026-07-06T06:27:10Z","published":"2026-07-06T06:27:10Z","upstream":["CVE-2026-48487"],"summary":"python-zeroconf security update","details":"Pure Python Multicast DNS Service Discovery Library (Bonjour/Avahi compatible)\r\n\r\nSecurity Fix(es):\n\n`_read_character_string` and `_read_string` in `src/zeroconf/_protocol/incoming.py` sliced `self.data[self.offset : self.offset + length]` and advanced `self.offset` by the declared `length` without checking it against `self._data_len`. Python&apos;s slice silently returns fewer bytes when the end index runs past the buffer, so a record whose 16-bit RDLENGTH (RFC 1035 §3.2.1) over-advertised by tens of kilobytes was constructed from a truncated payload, appended to `DNSIncoming._answers`, and committed to the cache before any later parse failure surfaced. Any unauthenticated host on the local link (UDP/5353, 224.0.0.251 / ff02::fb) can multicast a single mDNS response carrying a TXT, HINFO, or A/AAAA record that advertises rdlength=65535 and only a handful of real payload bytes; consumers calling `ServiceInfo.properties` then parse the truncated bytes as if they matched the wire, and downstream integrations (Home Assistant and other zeroconf-driven discovery) trust the decoded record. The bug is parser-state desync rather than RCE, but it seeds the cache with attacker-shaped key/value and address records for a TTL window and is a building block for higher-impact chains.(CVE-2026-48487)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"python-zeroconf","purl":"pkg:rpm/openEuler/python-zeroconf&distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.131.0-2.oe2403sp1"}]}],"ecosystem_specific":{"noarch":["python-zeroconf-help-0.131.0-2.oe2403sp1.noarch.rpm","python3-zeroconf-0.131.0-2.oe2403sp1.noarch.rpm"],"src":["python-zeroconf-0.131.0-2.oe2403sp1.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2832"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48487"}],"database_specific":{"severity":"Medium"}}
