GHSA-9663-mqmp-p9mm

### Impact

`AsyncListener.handle_query_or_defer` retained every truncated (TC-bit) incoming query in `self._deferred[addr]` and armed a per-addr timer in `self._timers[addr]` that flushed the reassembled query within ~500 ms (RFC 6762 §18.5). Neither the per-addr list nor the number of distinct `addr` keys was capped, and the dedup check (`for incoming in reversed(deferred): if incoming.data == msg.data`) ran O(N) over the per-addr list on every arrival.

Any unauthenticated host on the local link (UDP/5353, `224.0.0.251` / `ff02::fb`) can stream byte-distinct TC-flagged mDNS queries — each up to `_MAX_MSG_ABSOLUTE = 8966` bytes, with `DNSIncoming` retaining the raw `data` buffer plus parsed-record state. Trivially spoofed source IPs multiply the effect across `_deferred` / `_timers`, and the O(N) data compare burns CPU quadratically as each per-addr queue grows. On memory-constrained deployments (Home Assistant on Raspberry-Pi-class hardware is the canonical victim) sustained traffic OOM-kills the process; under lighter load, the per-arrival scan and event-loop scheduler starvation break unrelated zeroconf consumers (discovery, registration, ServiceBrowser callbacks).

### Patches

Fixed in `zeroconf` 0.149.12 ([PR #1751](https://github.com/python-zeroconf/python-zeroconf/pull/1751)). Upgrade to `>= 0.149.12`.

### Workarounds

There is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.

### Resources

- [PR #1751](https://github.com/python-zeroconf/python-zeroconf/pull/1751), fix - [RFC 6762 §18.5](https://www.rfc-editor.org/rfc/rfc6762#section-18.5), [CWE-400](https://cwe.mitre.org/data/definitions/400.html)