CVE-2026-10657
Received Received - Intake

Heap Buffer Over-Read in Zephyr RTOS DNS Resolver

Vulnerability report for CVE-2026-10657, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: Zephyr Project

Description

Zephyr's DNS resolver detects mDNS (.local) queries in dns_resolve_name_internal() (subsys/net/lib/dns/resolve.c) with memcmp(strrchr(query, '.'), ".local", 7), which always reads a fixed 7 bytes from the suffix pointer. When the resolved hostname's final label is shorter than 7 bytes (e.g. names ending in .org, .com, .net, .io, or a trailing dot), the comparison reads 1-2 bytes past the string's NUL terminator. The hostname (query) is the caller-supplied name passed through the standard getaddrinfo()/dns_get_addr_info()/dns_resolve_name() path and is influenceable by operators or remote inputs (server names from configuration, parsed URLs, or app-facing interfaces). On a tightly-sized buffer with no slack (for example a userspace getaddrinfo call where the hostname is copied with k_usermode_string_alloc_copy to exactly strlen+1 bytes), the over-read crosses the allocation boundary; if that boundary is unmapped (guard page, memory-domain boundary under MPU, or an address sanitizer) the over-read faults, causing a denial of service. The over-read bytes are never returned, so there is no information disclosure. The flaw is compiled only when CONFIG_MDNS_RESOLVER is enabled, exists since v1.10.0, and is fixed by replacing the fixed-length memcmp with a NUL-safe strcmp(ptr, ".local").

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr From 1.10.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Zephyr's DNS resolver when it processes mDNS (.local) queries. The resolver uses a fixed-length memory comparison (memcmp) of 7 bytes to check if a hostname ends with ".local". However, if the hostname's final label is shorter than 7 bytes (such as .org, .com, .net, .io, or a trailing dot), the memcmp reads 1-2 bytes beyond the string's null terminator.

Because the hostname is supplied by the caller and can be influenced by operators or remote inputs, this out-of-bounds read can cross the allocation boundary in tightly sized buffers. If this boundary is unmapped (for example, due to guard pages or memory protection units), the over-read causes a fault, leading to a denial of service.

Importantly, the over-read bytes are never returned, so there is no information disclosure. The issue only occurs when the CONFIG_MDNS_RESOLVER option is enabled and has been fixed by replacing the fixed-length memcmp with a null-safe strcmp.

Impact Analysis

This vulnerability can cause a denial of service (DoS) in systems using Zephyr's DNS resolver with the MDNS resolver enabled. Specifically, when processing certain hostnames with short final labels, the resolver may perform an out-of-bounds memory read that triggers a fault if it crosses an unmapped memory boundary.

Such a fault can crash or halt the affected process or system component, potentially disrupting network name resolution and related services.

There is no risk of information disclosure or privilege escalation from this vulnerability.

Mitigation Strategies

To mitigate this vulnerability, ensure that the Zephyr build does not enable CONFIG_MDNS_RESOLVER or update to a version where the fixed-length memcmp call is replaced with a NUL-safe strcmp(ptr, ".local"). This prevents the out-of-bounds read that causes denial of service.

Compliance Impact

This vulnerability causes a denial of service due to a memory over-read in Zephyr's DNS resolver when resolving certain hostnames. It does not result in information disclosure or data leakage.

Since the flaw does not expose or leak sensitive data, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and privacy of personal data.

However, the denial of service could affect system availability, which may be a consideration under some regulatory frameworks that require maintaining service continuity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10657. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart