Skip to main content

Zephyr RTOS CVE-2026-10652

| EUVDEUVD-2026-40372 HIGH
Out-of-bounds Read (CWE-125)
2026-06-30 zephyr
7.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (zephyr) PRIMARY
MEDIUM
qualitative
NVD
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
6.5 MEDIUM

Remote unauthenticated but AC:H due to spoofing/on-path timing; confidentiality is Low given the bounded ~64-byte stale-memory leak, and availability Low since faulting only occurs in some configurations.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

11
Analysis Updated
Jul 06, 2026 - 21:45 vuln.today
v7 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:45 vuln.today
v6 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:44 vuln.today
v5 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:43 vuln.today
v4 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:43 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 06, 2026 - 21:42 vuln.today
Analysis Updated
Jul 06, 2026 - 21:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 19:52 vuln.today
cvss_changed
Severity Changed
Jul 06, 2026 - 19:52 NVD
MEDIUM HIGH
CVSS changed
Jul 06, 2026 - 19:52 NVD
4.8 (MEDIUM) 7.4 (HIGH)
Analysis Generated
Jun 30, 2026 - 17:16 vuln.today

DescriptionNVD

Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any attacker-declared rdlength, including one extending past the end of the received datagram. The TXT and SRV consumers in dns_validate_record() (resolve.c) then read up to rdlength bytes (clamped only to a record-type maximum such as DNS_MAX_TEXT_SIZE, default 64, not to the packet) from the receive buffer via memcpy without their own bounds check, and pass the result to the application's resolve callback. A malicious or spoofed DNS server, an on-path attacker forging UDP DNS replies, or (with mDNS/LLMNR enabled) any LAN node can craft a truncated TXT or SRV response that causes an out-of-bounds read of adjacent receive-pool memory; the disclosed stale bytes (residual contents of prior DNS packets / uninitialized pool memory) are returned to the application as TXT/SRV record contents, an information leak, and may in some configurations cross the allocation boundary and fault, causing a denial of service. The read is bounded (~64 bytes for TXT, ~6 for SRV) and read-only (no write). The fix rejects any record whose declared rdata extends past dns_msg->msg_size at the single chokepoint in dns_unpack_answer(). Affected: v4.3.0 and v4.4.0.

AnalysisAI

Out-of-bounds read in the Zephyr RTOS DNS resolver (subsys/net/lib/dns) lets a malicious, spoofed, or on-path DNS server - or any LAN node when mDNS/LLMNR is enabled - return crafted truncated TXT or SRV records that leak residual receive-pool memory to the application, and in some configurations crash the device. It affects Zephyr v4.3.0 and v4.4.0; the SSVC framework records a proof-of-concept, so publicly available exploit code exists, though EPSS is low (0.20%, 10th percentile) and there is no public evidence of active exploitation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Position as malicious/on-path DNS or LAN mDNS peer
Delivery
Wait for or induce device DNS query
Exploit
Send TXT/SRV response with oversized rdlength
Execution
memcpy over-reads receive-pool memory
Persist
Stale pool bytes returned to application (info leak)
Impact
Optional allocation-boundary fault causes DoS

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Zephyr device (v4.3.0 or v4.4.0) performs DNS name resolution and processes TXT or SRV answer records, and that the attacker can deliver a forged response - as the configured/malicious DNS server, as an on-path attacker forging UDP DNS replies, or, when the CONFIG_MDNS_RESOLVER or CONFIG_LLMNR_RESOLVER features are enabled, as any node on the local network segment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a real-but-moderate issue rather than a top-tier emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or can spoof the DNS server a Zephyr device queries (or is a peer on the same LAN with mDNS/LLMNR enabled) crafts a DNS response containing a TXT or SRV record whose rdlength is larger than the bytes actually present in the datagram. When the device resolves the name, dns_validate_record() memcpy's past the packet into adjacent receive-pool memory and returns residual bytes from prior DNS traffic to the application as record data, leaking that stale memory and potentially faulting the device. …
Remediation Upgrade Zephyr to a release that contains the fix; based on the EUVD range (<4.5.0) the corrected code is in the 4.5.0 line, and the upstream fix is commit 58b46c81c6796dac4dc7391f32ba006474f94dc8 (https://github.com/zephyrproject-rtos/zephyr/commit/58b46c81c6796dac4dc7391f32ba006474f94dc8), which adds a single bounds check rejecting any record whose declared rdata extends past dns_msg->msg_size in dns_unpack_answer(). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all systems running Zephyr RTOS v4.3.0 or v4.4.0; identify affected IoT/embedded deployments, especially those on untrusted networks or with mDNS/LLMNR enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10652 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy