CVE-2026-10652: bounds in zephyrproject zephyr
Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any attacker-declared rdlength, including one extending past the end of the received datagram. The TXT and SRV consumers in dns_validate_record() (resolve.c) then read up to rdlength bytes (clamped only to a record-type maximum such as DNS_MAX_TEXT_SIZE, default 64, not to the packet) from the receive buffer via memcpy without their own bounds check, and pass the result to the application's resolve callback. A malicious or spoofed DNS server, an on-path attacker forging UDP DNS replies, or (with mDNS/LLMNR enabled) any LAN node can craft a truncated TXT or SRV response that causes an out-of-bounds read of adjacent receive-pool memory; the disclosed stale bytes (residual contents of prior DNS packets / uninitialized pool memory) are returned to the application as TXT/SRV record contents, an information leak, and may in some configurations cross the allocation boundary and fault, causing a denial of service. The read is bounded (~64 bytes for TXT, ~6 for SRV) and read-only (no write). The fix rejects any record whose declared rdata extends past dns_msg->msg_size at the single chokepoint in dns_unpack_answer(). Affected: v4.3.0 and v4.4.0.
AI Analysis
Technical Summary
Zephyr's DNS resolver (subsys/net/lib/dns) parses DNS resource records in dns_unpack_answer() but only validates fixed RR header fields and accepts any attacker-declared rdlength, even if it extends beyond the received datagram. The TXT and SRV record handlers then read up to rdlength bytes from the receive buffer without bounds checking against the packet size, potentially reading stale or uninitialized memory. This leads to an information leak of residual memory contents or, in some configurations, a denial of service due to out-of-bounds memory access faults. The vulnerability affects Zephyr versions 4.3.0 and 4.4.0. The fix involves rejecting any record whose declared rdata length extends past the DNS message size at a single chokepoint in dns_unpack_answer().
Potential Impact
An attacker controlling or spoofing DNS responses can craft truncated TXT or SRV DNS records with declared data lengths exceeding the actual packet size. This causes the resolver to read beyond the valid buffer, leaking stale or uninitialized memory contents to the application, resulting in an information disclosure. Additionally, in some configurations, this out-of-bounds read can cross allocation boundaries and cause a denial of service via memory faults. The read is limited in size (~64 bytes for TXT, ~6 bytes for SRV) and read-only, so no direct code execution or data modification is indicated.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The disclosed fix rejects any DNS record whose declared rdata length extends beyond the DNS message size in dns_unpack_answer(). Until an official fix is applied, avoid trusting DNS responses from untrusted or potentially malicious sources. Monitor for updates from the Zephyr project regarding patches or official fixes for this vulnerability.
CVE-2026-10652: bounds in zephyrproject zephyr
Description
Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any attacker-declared rdlength, including one extending past the end of the received datagram. The TXT and SRV consumers in dns_validate_record() (resolve.c) then read up to rdlength bytes (clamped only to a record-type maximum such as DNS_MAX_TEXT_SIZE, default 64, not to the packet) from the receive buffer via memcpy without their own bounds check, and pass the result to the application's resolve callback. A malicious or spoofed DNS server, an on-path attacker forging UDP DNS replies, or (with mDNS/LLMNR enabled) any LAN node can craft a truncated TXT or SRV response that causes an out-of-bounds read of adjacent receive-pool memory; the disclosed stale bytes (residual contents of prior DNS packets / uninitialized pool memory) are returned to the application as TXT/SRV record contents, an information leak, and may in some configurations cross the allocation boundary and fault, causing a denial of service. The read is bounded (~64 bytes for TXT, ~6 for SRV) and read-only (no write). The fix rejects any record whose declared rdata extends past dns_msg->msg_size at the single chokepoint in dns_unpack_answer(). Affected: v4.3.0 and v4.4.0.
CVSS v3.1
Score 4.8medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Zephyr's DNS resolver (subsys/net/lib/dns) parses DNS resource records in dns_unpack_answer() but only validates fixed RR header fields and accepts any attacker-declared rdlength, even if it extends beyond the received datagram. The TXT and SRV record handlers then read up to rdlength bytes from the receive buffer without bounds checking against the packet size, potentially reading stale or uninitialized memory. This leads to an information leak of residual memory contents or, in some configurations, a denial of service due to out-of-bounds memory access faults. The vulnerability affects Zephyr versions 4.3.0 and 4.4.0. The fix involves rejecting any record whose declared rdata length extends past the DNS message size at a single chokepoint in dns_unpack_answer().
Potential Impact
An attacker controlling or spoofing DNS responses can craft truncated TXT or SRV DNS records with declared data lengths exceeding the actual packet size. This causes the resolver to read beyond the valid buffer, leaking stale or uninitialized memory contents to the application, resulting in an information disclosure. Additionally, in some configurations, this out-of-bounds read can cross allocation boundaries and cause a denial of service via memory faults. The read is limited in size (~64 bytes for TXT, ~6 bytes for SRV) and read-only, so no direct code execution or data modification is indicated.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The disclosed fix rejects any DNS record whose declared rdata length extends beyond the DNS message size in dns_unpack_answer(). Until an official fix is applied, avoid trusting DNS responses from untrusted or potentially malicious sources. Monitor for updates from the Zephyr project regarding patches or official fixes for this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-06-02T15:24:25.664Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a43f42f27e9c79719185ebb
Added to database: 06/30/2026, 16:51:59 UTC
Last enriched: 06/30/2026, 17:08:33 UTC
Last updated: 06/30/2026, 22:34:56 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.