CVE-2026-1678 | THREATINT

Description

dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.

PUBLISHED Reserved 2026-01-30 | Published 2026-03-05 | Updated 2026-03-05 | Assigner zephyr

CRITICAL: 9.4CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Problem types

Out-of-bounds Write

Product status

Default status

unaffected

* (git)

affected

References

github.com/...zephyr/security/advisories/GHSA-536f-h63g-hj42 exploit

github.com/...zephyr/security/advisories/GHSA-536f-h63g-hj42

cve.org (CVE-2026-1678)

nvd.nist.gov (CVE-2026-1678)

Download JSON