CVE-2026-1678

dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.

CVSS v3 9.4 CRITICAL

9.4^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42	Exploit Patch Vendor Advisory
https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42	Exploit Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:zephyrproject:zephyr:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-05 07:16

Updated : 2026-03-09 18:33

NVD link : CVE-2026-1678

Mitre link : CVE-2026-1678

CVE.ORG link : CVE-2026-1678

JSON object : View

Products Affected

zephyrproject

zephyr

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2026-1678", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "vulnerabilities@zephyrproject.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 5.5, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-03-05T07:16:11.437", "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "vulnerabilities@zephyrproject.org"}, {"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "vulnerabilities@zephyrproject.org", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled."}, {"lang": "es", "value": "dns_unpack_name() almacena en cach\u00e9 el espacio restante del b\u00fafer una vez y lo reutiliza al adjuntar etiquetas DNS. A medida que el b\u00fafer crece, el tama\u00f1o almacenado en cach\u00e9 se vuelve incorrecto, y el terminador nulo final puede escribirse m\u00e1s all\u00e1 del b\u00fafer. Con las aserciones deshabilitadas (por defecto), una respuesta DNS maliciosa puede desencadenar una escritura fuera de los l\u00edmites cuando CONFIG_DNS_RESOLVER est\u00e1 habilitado."}], "lastModified": "2026-03-09T18:33:42.917", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zephyrproject:zephyr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7D912614-A39E-4C9B-AA54-187BC26337B9", "versionEndIncluding": "4.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "vulnerabilities@zephyrproject.org"}