CVE-2026-1678
Out-of-Bounds Write in Zephyr DNS Resolver Buffer Handling
Publication date: 2026-03-05
Last updated on: 2026-03-09
Assigner: Zephyr Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zephyrproject | zephyr | to 4.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1678 is a critical memory-safety vulnerability in the DNS name parser of the Zephyr RTOS, specifically in the function dns_unpack_name(). The function caches the available buffer tailroom once at the start and reuses this stale value while appending DNS labels to the buffer. As the buffer length grows during label appending, the cached tailroom size becomes incorrect, causing the final null terminator to be written past the buffer boundary.
With assertions disabled (which is the default), this leads to unchecked out-of-bounds writes when processing a malicious DNS response. The vulnerability arises because the code relies on stale bounds checks and does not perform fresh tailroom checks before every write, including the null terminator.
An attacker can exploit this by sending a crafted DNS response containing multiple large DNS labels that cause the textual DNS name length to exceed the buffer size, resulting in an out-of-bounds write of approximately 100β200 bytes.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution, denial of service, and compromise of system integrity and availability.
- It allows an attacker to perform out-of-bounds writes remotely without authentication or user interaction.
- The out-of-bounds write can corrupt memory, potentially leading to remote code execution depending on the memory layout.
- If assertions are enabled, the vulnerability causes a crash (denial of service), but does not fully fix the underlying issue.
- The vulnerability affects the confidentiality (low impact), integrity (high impact), and availability (high impact) of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered by a malicious DNS response containing multiple 63-byte labels that cause the DNS name length to exceed the buffer size. Detection involves monitoring DNS responses for unusually large or malformed DNS names that exceed the typical 255-byte buffer limit.
Since the vulnerability occurs in the dns_unpack_name() function of the Zephyr RTOS DNS resolver, detection on the system could involve enabling debugging or logging around DNS resolver activity to capture suspicious DNS responses.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patches submitted for the Zephyr RTOS main branch and supported versions (v4.3, v4.2, v3.7) that address this vulnerability.
As a temporary measure, enabling assertions (CONFIG_ASSERT) can cause the system to crash instead of silently corrupting memory, which may help detect exploitation attempts but does not fully fix the issue.
Disabling the DNS resolver functionality (CONFIG_DNS_RESOLVER) if it is not required can also prevent exploitation.