CVE-2026-10657 Overview
CVE-2026-10657 is an out-of-bounds read vulnerability in the Zephyr real-time operating system's DNS resolver. The flaw resides in dns_resolve_name_internal() within subsys/net/lib/dns/resolve.c, where the resolver uses memcmp() with a fixed 7-byte length to detect Multicast DNS (mDNS) .local queries. When a resolved hostname's final label is shorter than 7 bytes, the comparison reads 1 to 2 bytes past the string's NUL terminator. Attacker-controlled hostnames passed through getaddrinfo() or dns_resolve_name() can trigger the over-read, causing a denial of service on tightly-bounded allocations. The vulnerability exists since Zephyr v1.10.0 and is classified as [CWE-125].
Critical Impact
A remote attacker supplying a crafted hostname to any application that resolves DNS names can crash the Zephyr device by triggering the out-of-bounds read across an unmapped memory boundary.
Affected Products
- Zephyr RTOS versions from v1.10.0 onward
- Zephyr builds with CONFIG_MDNS_RESOLVER enabled
- Applications using getaddrinfo(), dns_get_addr_info(), or dns_resolve_name() on Zephyr
Discovery Timeline
- 2026-07-05 - CVE-2026-10657 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-10657
Vulnerability Analysis
Zephyr's DNS resolver attempts to identify mDNS queries by comparing the last label of a hostname to .local. The original implementation uses memcmp(strrchr(query, '.'), ".local", 7), which reads exactly 7 bytes from the suffix pointer regardless of the actual string length. Hostnames ending in shorter labels such as .org, .com, .net, .io, or a trailing dot produce suffix strings whose length plus NUL terminator is less than 7 bytes. The comparison consequently reads 1 to 2 bytes beyond the terminating NUL byte.
The attacker-controlled input reaches this code path through the standard resolver API. Hostnames originate from operator configuration, parsed URLs, or remote application-facing interfaces. The over-read bytes are never returned to the caller, so no information disclosure occurs. However, availability is affected when the target buffer sits at an allocation boundary backed by no readable memory.
Root Cause
The root cause is a fixed-length memory comparison used against a NUL-terminated string. The developer's inline comment Note that we memcmp() the \0 here too acknowledges the intent to include the NUL byte in the comparison, but the code fails to verify that the suffix is at least 6 characters long before reading 7 bytes. The safe replacement is strcmp(ptr, ".local"), which stops at the first NUL byte.
Attack Vector
An attacker who can influence a hostname resolved by a Zephyr device triggers the flaw remotely without authentication. Common trigger paths include userspace getaddrinfo() calls where the hostname is copied with k_usermode_string_alloc_copy() to exactly strlen+1 bytes. When the resulting allocation sits adjacent to a guard page, memory-domain boundary enforced by an MPU, or an address sanitizer shadow region, the over-read faults. The result is a denial of service on the resolver thread or the calling application.
if (IS_ENABLED(CONFIG_MDNS_RESOLVER)) {
const char *ptr = strrchr(query, '.');
- /* Note that we memcmp() the \0 here too */
- if (ptr && !memcmp(ptr, (const void *){ ".local" }, 7)) {
+ if (ptr && strcmp(ptr, ".local") == 0) {
mdns_query = true;
ctx->queries[i].id = 0;
Source: Zephyr commit 448a21d — the patch replaces the fixed-length memcmp() with a NUL-safe strcmp().
Detection Methods for CVE-2026-10657
Indicators of Compromise
- Unexpected crashes or memory faults in Zephyr threads that invoke dns_resolve_name_internal()
- Kernel panics or MPU access violations correlated with DNS resolution requests
- Application logs showing hostname lookups for domains ending in short labels immediately before device restart
Detection Strategies
- Enable address sanitizer or memory-domain enforcement in test builds to surface the over-read deterministically
- Audit Zephyr build configurations for CONFIG_MDNS_RESOLVER=y combined with vulnerable versions
- Fuzz the DNS resolver entry points with hostnames terminating in .org, .com, .net, .io, and trailing-dot variants
Monitoring Recommendations
- Monitor Zephyr device availability metrics and reboot frequency for anomalies tied to network activity
- Log all outbound hostname resolution requests and correlate failures with device restarts
- Track firmware versions across the fleet to identify devices still running Zephyr builds prior to the fix commit
How to Mitigate CVE-2026-10657
Immediate Actions Required
- Update Zephyr to a version containing commit 448a21da12c9ea28f7fd12c6894e03a987b17a27 and rebuild firmware
- Inventory deployed devices to identify builds with CONFIG_MDNS_RESOLVER enabled
- Restrict which components and remote inputs can supply hostnames to the resolver until the patch is deployed
Patch Information
The upstream fix replaces the fixed-length memcmp() with strcmp(ptr, ".local"), which stops at the NUL terminator and eliminates the over-read. Details are available in the Zephyr Security Advisory GHSA-76jh-3j5f-9vq4 and the upstream commit 448a21d.
Workarounds
- Disable CONFIG_MDNS_RESOLVER at build time if mDNS resolution is not required by the application
- Validate or sanitize hostnames at the application layer before passing them to getaddrinfo() or dns_resolve_name()
- Ensure hostname copy buffers include at least 6 bytes of slack beyond the terminating NUL to prevent the over-read from crossing an unmapped boundary
# Disable the vulnerable code path in prj.conf until firmware is updated
CONFIG_MDNS_RESOLVER=n
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

