CVE-2026-1678

CriticalPublic PoC

Published: 05 March 2026

Published

05 March 2026

Modified

09 March 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

EPSS Score 0.0008 23.2th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1678 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Zephyrproject Zephyr. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the out-of-bounds write vulnerability by applying patches from the Zephyr Project security advisory for CVE-2026-1678.

SI-10 Information Input Validation good match

prevent

Mandates validation of incoming DNS responses to reject malformed labels that could trigger buffer overflows in dns_unpack_name().

SI-16 Memory Protection good match

prevent

Deploys memory protection mechanisms such as stack canaries and non-executable memory to block exploitation of the out-of-bounds write in Zephyr RTOS.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote network exploitation of DNS response parsing leads directly to memory corruption via crafted packets, matching T1190 as the initial access vector.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS…

response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.

Deeper analysisAI

CVE-2026-1678 is an out-of-bounds write vulnerability in the dns_unpack_name() function of the Zephyr RTOS. The function caches the buffer tailroom once and reuses this value while appending DNS labels, leading to an incorrect cached size as the buffer grows. Consequently, the final null terminator can be written past the buffer end. This affects Zephyr RTOS builds with CONFIG_DNS_RESOLVER enabled and assertions disabled, which is the default configuration. The vulnerability is classified under CWE-787 and has a CVSS 3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network by crafting and sending a malicious DNS response to a vulnerable system. No user interaction or special privileges are required. Exploitation triggers the out-of-bounds write, potentially allowing the attacker to corrupt memory, cause denial of service, or manipulate data integrity, with high impacts on integrity and availability alongside low confidentiality impact.

Mitigation details and patches are documented in the Zephyr Project security advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42.