Vulnerability Details CVE-2026-10657
Zephyr's DNS resolver detects mDNS (.local) queries in dns_resolve_name_internal() (subsys/net/lib/dns/resolve.c) with memcmp(strrchr(query, '.'), ".local", 7), which always reads a fixed 7 bytes from the suffix pointer. When the resolved hostname's final label is shorter than 7 bytes (e.g. names ending in .org, .com, .net, .io, or a trailing dot), the comparison reads 1-2 bytes past the string's NUL terminator. The hostname (query) is the caller-supplied name passed through the standard getaddrinfo()/dns_get_addr_info()/dns_resolve_name() path and is influenceable by operators or remote inputs (server names from configuration, parsed URLs, or app-facing interfaces). On a tightly-sized buffer with no slack (for example a userspace getaddrinfo call where the hostname is copied with k_usermode_string_alloc_copy to exactly strlen+1 bytes), the over-read crosses the allocation boundary; if that boundary is unmapped (guard page, memory-domain boundary under MPU, or an address sanitizer) the over-read faults, causing a denial of service. The over-read bytes are never returned, so there is no information disclosure. The flaw is compiled only when CONFIG_MDNS_RESOLVER is enabled, exists since v1.10.0, and is fixed by replacing the fixed-length memcmp with a NUL-safe strcmp(ptr, ".local").
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 15.4%
CVSS Severity
CVSS v3 Score 3.7
Products affected by CVE-2026-10657
-
cpe:2.3:o:zephyrproject:zephyr:1.10.0
-
cpe:2.3:o:zephyrproject:zephyr:1.11.0
-
cpe:2.3:o:zephyrproject:zephyr:1.12.0
-
cpe:2.3:o:zephyrproject:zephyr:1.13.0
-
cpe:2.3:o:zephyrproject:zephyr:1.14.0
-
cpe:2.3:o:zephyrproject:zephyr:1.14.1
-
cpe:2.3:o:zephyrproject:zephyr:1.14.2
-
cpe:2.3:o:zephyrproject:zephyr:1.14.3
-
cpe:2.3:o:zephyrproject:zephyr:2.0.0
-
cpe:2.3:o:zephyrproject:zephyr:2.1.0
-
cpe:2.3:o:zephyrproject:zephyr:2.2.0
-
cpe:2.3:o:zephyrproject:zephyr:2.3.0
-
cpe:2.3:o:zephyrproject:zephyr:2.4.0
-
cpe:2.3:o:zephyrproject:zephyr:2.5.0
-
cpe:2.3:o:zephyrproject:zephyr:2.5.1
-
cpe:2.3:o:zephyrproject:zephyr:2.6.0
-
cpe:2.3:o:zephyrproject:zephyr:2.6.1
-
cpe:2.3:o:zephyrproject:zephyr:2.7.0
-
cpe:2.3:o:zephyrproject:zephyr:2.79.0
-
cpe:2.3:o:zephyrproject:zephyr:2.8.0
-
cpe:2.3:o:zephyrproject:zephyr:2.81.0
-
cpe:2.3:o:zephyrproject:zephyr:2.82.0
-
cpe:2.3:o:zephyrproject:zephyr:2.83.0
-
cpe:2.3:o:zephyrproject:zephyr:2.84.0
-
cpe:2.3:o:zephyrproject:zephyr:2.85.0
-
cpe:2.3:o:zephyrproject:zephyr:2.86.0
-
cpe:2.3:o:zephyrproject:zephyr:2.87.0
-
cpe:2.3:o:zephyrproject:zephyr:2.88.0
-
cpe:2.3:o:zephyrproject:zephyr:2.89.0
-
cpe:2.3:o:zephyrproject:zephyr:2.90.0
-
cpe:2.3:o:zephyrproject:zephyr:2.91.0
-
cpe:2.3:o:zephyrproject:zephyr:2.92.0
-
cpe:2.3:o:zephyrproject:zephyr:2.93.0
-
cpe:2.3:o:zephyrproject:zephyr:2.94.0
-
cpe:2.3:o:zephyrproject:zephyr:2.95.0
-
cpe:2.3:o:zephyrproject:zephyr:3.0.0
-
cpe:2.3:o:zephyrproject:zephyr:3.0.1
-
cpe:2.3:o:zephyrproject:zephyr:3.1.0
-
cpe:2.3:o:zephyrproject:zephyr:3.2.0
-
cpe:2.3:o:zephyrproject:zephyr:3.2.01
-
cpe:2.3:o:zephyrproject:zephyr:3.2.1
-
cpe:2.3:o:zephyrproject:zephyr:3.2.31
-
cpe:2.3:o:zephyrproject:zephyr:3.2.40
-
cpe:2.3:o:zephyrproject:zephyr:3.2.41
-
cpe:2.3:o:zephyrproject:zephyr:3.3.0
-
cpe:2.3:o:zephyrproject:zephyr:3.4.0
-
cpe:2.3:o:zephyrproject:zephyr:3.5.0
-
cpe:2.3:o:zephyrproject:zephyr:3.6.0
-
cpe:2.3:o:zephyrproject:zephyr:3.7.0
-
cpe:2.3:o:zephyrproject:zephyr:3.7.1
-
cpe:2.3:o:zephyrproject:zephyr:3.7.2
-
cpe:2.3:o:zephyrproject:zephyr:4.0.0
-
cpe:2.3:o:zephyrproject:zephyr:4.1.0
-
cpe:2.3:o:zephyrproject:zephyr:4.2.0
-
cpe:2.3:o:zephyrproject:zephyr:4.2.1
-
cpe:2.3:o:zephyrproject:zephyr:4.3.0
-
cpe:2.3:o:zephyrproject:zephyr:4.3.1
-
cpe:2.3:o:zephyrproject:zephyr:4.4.0