CVE-2026-1678CRITICAL 9.8EPSS p29.2%

CVE-2026-1678CVE-2026-1678

Description

dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.38% probability of exploitation · percentile 29.2% · 2026-06-19T12:03:05Z
Published2026-03-05
Last modified2026-03-09

Underlying weaknesses· 1

CWE-787

References

  1. https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42
  2. https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42

1

TypeTargetConfidenceTier
WeaknessOut-of-bounds Writecwe-7870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-1675
CVE
CVE-2025-1673
CVE
CVE-2026-24028
CVE
CVE-2026-4892
CVE
CVE-2025-24064
CVE
CVE-2026-5066
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.