CVE-2026-1678
Received Received - Intake
Out-of-Bounds Write in Zephyr DNS Resolver Buffer Handling

Publication date: 2026-03-05

Last updated on: 2026-03-09

Assigner: Zephyr Project

Description
dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1678
EUVD
EUVD-2026-9792
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr to 4.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1678 is a critical memory-safety vulnerability in the DNS name parser of the Zephyr RTOS, specifically in the function dns_unpack_name(). The function caches the available buffer tailroom once at the start and reuses this stale value while appending DNS labels to the buffer. As the buffer length grows during label appending, the cached tailroom size becomes incorrect, causing the final null terminator to be written past the buffer boundary.

With assertions disabled (which is the default), this leads to unchecked out-of-bounds writes when processing a malicious DNS response. The vulnerability arises because the code relies on stale bounds checks and does not perform fresh tailroom checks before every write, including the null terminator.

An attacker can exploit this by sending a crafted DNS response containing multiple large DNS labels that cause the textual DNS name length to exceed the buffer size, resulting in an out-of-bounds write of approximately 100–200 bytes.

Impact Analysis

This vulnerability can have severe impacts including remote code execution, denial of service, and compromise of system integrity and availability.

  • It allows an attacker to perform out-of-bounds writes remotely without authentication or user interaction.
  • The out-of-bounds write can corrupt memory, potentially leading to remote code execution depending on the memory layout.
  • If assertions are enabled, the vulnerability causes a crash (denial of service), but does not fully fix the underlying issue.
  • The vulnerability affects the confidentiality (low impact), integrity (high impact), and availability (high impact) of the system.
Compliance Impact

I don't know

Detection Guidance

This vulnerability is triggered by a malicious DNS response containing multiple 63-byte labels that cause the DNS name length to exceed the buffer size. Detection involves monitoring DNS responses for unusually large or malformed DNS names that exceed the typical 255-byte buffer limit.

Since the vulnerability occurs in the dns_unpack_name() function of the Zephyr RTOS DNS resolver, detection on the system could involve enabling debugging or logging around DNS resolver activity to capture suspicious DNS responses.

No specific detection commands are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include applying the patches submitted for the Zephyr RTOS main branch and supported versions (v4.3, v4.2, v3.7) that address this vulnerability.

As a temporary measure, enabling assertions (CONFIG_ASSERT) can cause the system to crash instead of silently corrupting memory, which may help detect exploitation attempts but does not fully fix the issue.

Disabling the DNS resolver functionality (CONFIG_DNS_RESOLVER) if it is not required can also prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1678. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart