CVE-2026-1678 PUBLISHED

dns: memory‑safety issue in the DNS name parser

Assigner: zephyr
Reserved: 30.01.2026 Published: 05.03.2026 Updated: 05.03.2026

dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CVSS Score: 9.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	zephyrproject-rtos
Product	Zephyr
Versions	Default: unaffected affected from * to 4.3 (incl.)

References

https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42

Problem Types

Out-of-bounds Write CWE