Skip to main content

Zephyr RTOS CVE-2026-10657

MEDIUM
Out-of-bounds Read (CWE-125)
2026-07-05 zephyr
5.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (zephyr) PRIMARY
LOW
qualitative
NVD
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
3.7 LOW

Network-reachable via hostname input, AC:H for required tight-allocation plus unmapped-boundary runtime conditions; C:N and I:N confirmed as over-read bytes are never returned.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Severity Changed
Jul 08, 2026 - 15:07 NVD
LOW MEDIUM
CVSS changed
Jul 08, 2026 - 15:07 NVD
3.7 (LOW) 5.3 (MEDIUM)
Analysis Generated
Jul 05, 2026 - 23:18 vuln.today

DescriptionNVD

Zephyr's DNS resolver detects mDNS (.local) queries in dns_resolve_name_internal() (subsys/net/lib/dns/resolve.c) with memcmp(strrchr(query, '.'), ".local", 7), which always reads a fixed 7 bytes from the suffix pointer. When the resolved hostname's final label is shorter than 7 bytes (e.g. names ending in .org, .com, .net, .io, or a trailing dot), the comparison reads 1-2 bytes past the string's NUL terminator. The hostname (query) is the caller-supplied name passed through the standard getaddrinfo()/dns_get_addr_info()/dns_resolve_name() path and is influenceable by operators or remote inputs (server names from configuration, parsed URLs, or app-facing interfaces). On a tightly-sized buffer with no slack (for example a userspace getaddrinfo call where the hostname is copied with k_usermode_string_alloc_copy to exactly strlen+1 bytes), the over-read crosses the allocation boundary; if that boundary is unmapped (guard page, memory-domain boundary under MPU, or an address sanitizer) the over-read faults, causing a denial of service. The over-read bytes are never returned, so there is no information disclosure. The flaw is compiled only when CONFIG_MDNS_RESOLVER is enabled, exists since v1.10.0, and is fixed by replacing the fixed-length memcmp with a NUL-safe strcmp(ptr, ".local").

AnalysisAI

Out-of-bounds read in Zephyr RTOS's mDNS detection logic crashes devices resolving short-suffix hostnames when CONFIG_MDNS_RESOLVER is compiled in. The flaw in dns_resolve_name_internal() reads a fixed 7 bytes from a suffix pointer regardless of the actual string length, causing a 1-2 byte over-read past the NUL terminator for suffixes like .org, .com, .net, or .io. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Supply short-suffix hostname via DNS API
Delivery
Invoke dns_resolve_name_internal() with CONFIG_MDNS_RESOLVER
Exploit
memcmp reads past NUL terminator
Execution
Over-read crosses unmapped memory boundary
Impact
Processor faults, device crashes

Vulnerability AssessmentAI

Exploitation CONFIG_MDNS_RESOLVER must be enabled at compile time - this is the primary gate and is not a default in all Zephyr build configurations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application on a Zephyr device resolves a hostname ending in .io or .org - for example, a parsed URL from a remote configuration push - triggering dns_resolve_name_internal() with CONFIG_MDNS_RESOLVER compiled in. If the hostname was copied via k_usermode_string_alloc_copy to a buffer of exactly strlen+1 bytes and the next allocation boundary is an unmapped guard page or MPU domain fence, the 1-2 byte over-read faults the processor, crashing the device. …
Remediation Apply commit 448a21da12c9ea28f7fd12c6894e03a987b17a27 from the Zephyr repository (https://github.com/zephyrproject-rtos/zephyr/commit/448a21da12c9ea28f7fd12c6894e03a987b17a27), which replaces memcmp(ptr, ".local", 7) with strcmp(ptr, ".local") and eliminates the over-read entirely. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy