CRITICAL🇵🇱 Wersja polska

CVE-2026-1678

CVSS 9.4v3.1pub. 2026-03-05upd. 2026-03-09

dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
  • Zephyrproject Zephyr

    OS
    Zephyrproject
    ≤ 4.3.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2024-11263CRITICAL9.3PL ✓ten sam produkt

Błąd adresowania GP w Zephyr RTOS na architekturze RISC-V

CVE-2021-3329CRITICAL9.6ten sam produkt

Lack of proper validation in HCI Host stack initialization can cause a crash of the bluetooth stack

CVE-2022-3806CRITICAL9.8ten sam produkt

Inconsistent handling of error cases in bluetooth hci may lead to a double free condition of a network buffer.

CVE-2023-0397CRITICAL9.6ten sam produkt

A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in le_read_buff...

CVE-2021-3966CRITICAL9.6ten sam produkt

usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.