Cyber Resilience

CVE-2026-1678

CriticalPublic PoC

Published: 05 March 2026

Published
05 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0038 29.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1678 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Zephyrproject Zephyr. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-1678 is an out-of-bounds write vulnerability in the dns_unpack_name() function of the Zephyr RTOS. The function caches the buffer tailroom once and reuses this value while appending DNS labels, leading to an incorrect cached size as the buffer grows. Consequently, the final null terminator can be written past the buffer end. This affects Zephyr RTOS builds with CONFIG_DNS_RESOLVER enabled and assertions disabled, which is the default configuration. The vulnerability is classified under CWE-787 and has a CVSS 3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network by crafting and sending a malicious DNS response to a vulnerable system. No user interaction or special privileges are required. Exploitation triggers the out-of-bounds write, potentially allowing the attacker to corrupt memory, cause denial of service, or manipulate data integrity, with high impacts on integrity and availability alongside low confidentiality impact.

Mitigation details and patches are documented in the Zephyr Project security advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42.

EU & UK References

Vulnerability details

dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS…

more

response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote network exploitation of DNS response parsing leads directly to memory corruption via crafted packets, matching T1190 as the initial access vector.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1674Same product: Zephyrproject Zephyr
CVE-2025-1675Same product: Zephyrproject Zephyr
CVE-2024-10395Same product: Zephyrproject Zephyr
CVE-2026-1679Same product: Zephyrproject Zephyr
CVE-2025-1673Same product: Zephyrproject Zephyr
CVE-2025-27807Shared CWE-787
CVE-2024-48856Shared CWE-787
CVE-2025-14234Shared CWE-787
CVE-2018-25223Shared CWE-787
CVE-2018-25154Shared CWE-787

Affected Assets

zephyrproject
zephyr
≤ 4.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the out-of-bounds write vulnerability by applying patches from the Zephyr Project security advisory for CVE-2026-1678.

prevent

Mandates validation of incoming DNS responses to reject malformed labels that could trigger buffer overflows in dns_unpack_name().

prevent

Deploys memory protection mechanisms such as stack canaries and non-executable memory to block exploitation of the out-of-bounds write in Zephyr RTOS.

References