CVE Catalog

CVE-2026-10652

MediumCVSS 4.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

A vulnerability in Zephyr's DNS resolver (subsys/net/lib/dns) allows an out-of-bounds read due to insufficient validation of the rdlength field in DNS responses. The dns_unpack_answer() function accepts any declared rdlength, enabling an attacker to craft a truncated TXT or SRV response that reads beyond the receive buffer. This leads to information disclosure (residual packet data or uninitialized memory) and potentially a denial of service.

Risk Assessment

The organization risks sensitive data leakage from system memory and potential denial of service. The attack can be executed by a malicious DNS server, an on-path attacker forging UDP replies, or any LAN node if mDNS/LLMNR is enabled.

Recommendation

Immediately update Zephyr OS to a patched version (v4.4.1 or later). If updating is not possible, disable TXT and SRV record handling in the DNS resolver or restrict trusted DNS servers.

Original NVD description (English source)

Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any attacker-declared rdlength, including one extending past the end of the received datagram. The TXT and SRV consumers in dns_validate_record() (resolve.c) then read up to rdlength bytes (clamped only to a record-type maximum such as DNS_MAX_TEXT_SIZE, default 64, not to the packet) from the receive buffer via memcpy without their own bounds check, and pass the result to the application's resolve callback. A malicious or spoofed DNS server, an on-path attacker forging UDP DNS replies, or (with mDNS/LLMNR enabled) any LAN node can craft a truncated TXT or SRV response that causes an out-of-bounds read of adjacent receive-pool memory; the disclosed stale bytes (residual contents of prior DNS packets / uninitialized pool memory) are returned to the application as TXT/SRV record contents, an information leak, and may in some configurations cross the allocation boundary and fault, causing a denial of service. The read is bounded (~64 bytes for TXT, ~6 for SRV) and read-only (no write). The fix rejects any record whose declared rdata extends past dns_msg->msg_size at the single chokepoint in dns_unpack_answer(). Affected: v4.3.0 and v4.4.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS