Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-10652— Out-of-bounds read in Zephyr DNS resolver TXT/SRV record parsing (unvalidated `rdlength`)

CVSS 4.8 · Medium EPSS 0.20% · P10

Affected Version Matrix 1

VendorProductVersion RangeStatus
zephyrprojectzephyr4.3.0< 4.5.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-10652

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Out-of-bounds read in Zephyr DNS resolver TXT/SRV record parsing (unvalidated `rdlength`)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any attacker-declared rdlength, including one extending past the end of the received datagram. The TXT and SRV consumers in dns_validate_record() (resolve.c) then read up to rdlength bytes (clamped only to a record-type maximum such as DNS_MAX_TEXT_SIZE, default 64, not to the packet) from the receive buffer via memcpy without their own bounds check, and pass the result to the application's resolve callback. A malicious or spoofed DNS server, an on-path attacker forging UDP DNS replies, or (with mDNS/LLMNR enabled) any LAN node can craft a truncated TXT or SRV response that causes an out-of-bounds read of adjacent receive-pool memory; the disclosed stale bytes (residual contents of prior DNS packets / uninitialized pool memory) are returned to the application as TXT/SRV record contents, an information leak, and may in some configurations cross the allocation boundary and fault, causing a denial of service. The read is bounded (~64 bytes for TXT, ~6 for SRV) and read-only (no write). The fix rejects any record whose declared rdata extends past dns_msg->msg_size at the single chokepoint in dns_unpack_answer(). Affected: v4.3.0 and v4.4.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨界内存读
Source: NVD (National Vulnerability Database)
Vulnerability Title
zephyrproject zephyr 缓冲区错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
zephyrproject zephyr是zephyrproject组织开源的一款实时操作系统内核。 zephyrproject zephyr 4.3.0版本和4.4.0版本存在缓冲区错误漏洞,该漏洞源于DNS解析器在解析资源记录时未正确验证攻击者声明的rdlength,可能导致越界读取相邻接收池内存,造成信息泄露,并且可能在部分配置中跨越分配边界导致拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
zephyrprojectzephyr 4.3.0 ~ 4.5.0 -

II. Public POCs for CVE-2026-10652

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-10652

登录查看更多情报信息。

Patches & Fixes for CVE-2026-10652 (1)

Vendor Advisories for CVE-2026-10652 (1)

Same Patch Batch · zephyrproject · 2026-06-30 · 5 CVEs total

CVE-2026-92636.5 MEDIUMOut-of-bounds read in Bluetooth Controller ISOAL framed RX reassembly leaks adjacent memor
CVE-2026-106556.5 MEDIUMUse-after-free race in SNTP async client when closing the socket while the socket service
CVE-2026-106536.4 MEDIUMNon-atomic `net_buf` reference counts cause double-free / free-list corruption under concu
CVE-2026-106543.1 LOWRFCOMM session-disconnect race leaks session/L2CAP and denies further RFCOMM service in Ze

IV. Related Vulnerabilities

V. Comments for CVE-2026-10652

No comments yet


Leave a comment