CVE-2026-1678

CRITICAL

Zephyr < 4.3.0 - Out-of-bounds Write in DNS Name Unpacking

Title source: llm

Description

dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.

References (1)

Core 1

Core References

Vendor Advisory

https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42

Scores

CVSS v3 9.4

EPSS 0.0038

EPSS Percentile 29.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-787

Status published

Products (1)

zephyrproject/zephyr < 4.3.0

Published Mar 05, 2026

Tracked Since Mar 05, 2026