Description
dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.
Published: 2026-03-05
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

dns_unpack_name caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer expands, the cached size becomes incorrect and the final null terminator can be written past the buffer. With assertions disabled and CONFIG_DNS_RESOLVER enabled, a malicious DNS response can trigger an out‑of‑bounds write. This memory corruption can allow an attacker to overwrite adjacent memory, potentially leading to arbitrary code execution or a system crash, consistent with the CWE‑787 buffer overflow weakness.

Affected Systems

The vulnerability affects Zephyr RTOS builds that include the DNS resolver (CONFIG_DNS_RESOLVER). The advisory does not specify precise version numbers, so any Zephyr instance with the resolver enabled may be vulnerable.

Risk and Exploitability

The CVSS score of 9.4 signals a high severity, while the EPSS score of <1% indicates a low current exploitation likelihood and the vulnerability is not listed in the KEV catalog. The likely attack vector is remote: an adversary can craft a DNS response that targets a device running the vulnerable resolver, triggering the out‑of‑bounds write. Successful exploitation could allow arbitrary code execution or denial of service.

Generated by OpenCVE AI on April 16, 2026 at 12:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the DNS resolver by removing CONFIG_DNS_RESOLVER from the Zephyr build configuration.
  • Update Zephyr to the latest version or apply the vendor’s patch that addresses the dns_unpack_name bounds checking flaw.
  • Monitor DNS traffic for anomalous responses and segment the network to limit exposure of vulnerable devices.

Generated by OpenCVE AI on April 16, 2026 at 12:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject
Zephyrproject zephyr
CPEs cpe:2.3:o:zephyrproject:zephyr:*:*:*:*:*:*:*:*
Vendors & Products Zephyrproject
Zephyrproject zephyr

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject-rtos
Zephyrproject-rtos zephyr
Vendors & Products Zephyrproject-rtos
Zephyrproject-rtos zephyr

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:45:00 +0000

Type Values Removed Values Added
Description dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.
Title dns: memory‑safety issue in the DNS name parser
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H'}

Subscriptions

Zephyrproject Zephyr
Zephyrproject-rtos Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-03-05T15:28:42.914Z

Reserved: 2026-01-30T05:48:49.746Z

Link: CVE-2026-1678

cve-icon Vulnrichment

Updated: 2026-03-05T15:27:52.161Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T07:16:11.437

Modified: 2026-03-09T18:33:42.917

Link: CVE-2026-1678

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:45:35Z

Weaknesses