CVE-2026-10652
Received Received - Intake

DNS Response Parsing Buffer Overflow in Zephyr RTOS

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: Zephyr Project

Description
Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any attacker-declared rdlength, including one extending past the end of the received datagram. The TXT and SRV consumers in dns_validate_record() (resolve.c) then read up to rdlength bytes (clamped only to a record-type maximum such as DNS_MAX_TEXT_SIZE, default 64, not to the packet) from the receive buffer via memcpy without their own bounds check, and pass the result to the application's resolve callback. A malicious or spoofed DNS server, an on-path attacker forging UDP DNS replies, or (with mDNS/LLMNR enabled) any LAN node can craft a truncated TXT or SRV response that causes an out-of-bounds read of adjacent receive-pool memory; the disclosed stale bytes (residual contents of prior DNS packets / uninitialized pool memory) are returned to the application as TXT/SRV record contents, an information leak, and may in some configurations cross the allocation boundary and fault, causing a denial of service. The read is bounded (~64 bytes for TXT, ~6 for SRV) and read-only (no write). The fix rejects any record whose declared rdata extends past dns_msg->msg_size at the single chokepoint in dns_unpack_answer(). Affected: v4.3.0 and v4.4.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-10652
EUVD
EUVD-2026-40372

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
zephyr zephyr_dns_resolver 4.3.0
zephyr zephyr_dns_resolver 4.4.0
zephyrproject zephyr 4.3.0
zephyrproject zephyr 4.4.0
zephyrproject zephyr From 4.3.0 (inc) to 4.4.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Zephyr RTOS's DNS resolver, specifically in the dns_unpack_answer() function. The function only validates the fixed resource record (RR) header fields but does not verify if the declared resource data length (rdlength) extends beyond the actual size of the received DNS message. As a result, when processing TXT and SRV DNS records, the resolver may read beyond the valid buffer boundaries, causing an out-of-bounds read.

An attacker, such as a malicious DNS server or an on-path attacker forging DNS replies, can craft truncated or malformed DNS responses that exploit this lack of validation. This leads to the leakage of adjacent memory contents (stale or uninitialized data) to the application, which is an information disclosure. In some cases, this can also cause a denial of service if the read crosses allocation boundaries and faults.

The vulnerability affects Zephyr versions 4.3.0 and 4.4.0 and has been fixed by adding a check in dns_unpack_answer() to reject any resource record whose declared data length exceeds the actual DNS message size.

Impact Analysis

This vulnerability can impact you primarily by causing information disclosure and potentially denial of service.

  • Information Disclosure: The out-of-bounds read can leak residual or uninitialized memory contents from the DNS resolver's receive buffer to the application, exposing sensitive or stale data.
  • Denial of Service: In some configurations, the out-of-bounds read may cross allocation boundaries and cause a fault, crashing the DNS resolver and leading to denial of service.

The vulnerability can be exploited remotely by a malicious or spoofed DNS server, an on-path attacker forging UDP DNS replies, or any LAN node if mDNS/LLMNR is enabled.

The CVSS base score is 4.8 (Medium), indicating a moderate severity with the primary impact on confidentiality and availability.

Detection Guidance

This vulnerability involves malformed or truncated DNS responses with resource record (RR) data length fields (rdlength) that extend beyond the actual DNS message size, causing out-of-bounds reads.

To detect this on your network or system, you can monitor DNS traffic for suspicious or malformed TXT or SRV DNS responses where the rdlength field is larger than the actual packet size.

Suggested commands include using packet capture tools like tcpdump or Wireshark to capture DNS UDP traffic and then inspecting DNS response packets for inconsistencies in the rdlength field.

  • Capture DNS traffic on port 53 using tcpdump: tcpdump -i <interface> udp port 53 -w dns_traffic.pcap
  • Analyze captured packets in Wireshark and filter for DNS responses with TXT or SRV records.
  • Look for DNS responses where the rdlength field in resource records exceeds the actual DNS message size or appears truncated.

Additionally, monitoring application logs for unusual DNS resolution errors or crashes related to DNS TXT or SRV records may help identify exploitation attempts.

Mitigation Strategies

The primary mitigation is to update the Zephyr RTOS DNS resolver to a version that includes the patch fixing this vulnerability.

The patch adds validation in the dns_unpack_answer() function to reject any DNS resource record whose declared rdata length extends beyond the actual DNS message size, preventing out-of-bounds reads.

Until the update can be applied, consider disabling or restricting the use of DNS TXT and SRV record resolution if possible, especially from untrusted or external DNS servers.

Also, monitor DNS traffic for suspicious or malformed responses and implement network-level protections such as DNS response validation or DNSSEC to reduce the risk of spoofed or malicious DNS replies.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10652. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart