PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10652 zephyrproject CVE debrief

CVE-2026-10652 is a medium-severity vulnerability in Zephyr's DNS resolver. The vulnerability occurs in the dns_unpack_answer() function, which fails to validate the rdlength field of DNS resource records, leading to an out-of-bounds read. This issue allows an attacker to leak sensitive information and potentially cause a denial of service. Affected product deployments should be identified, and owners assigned for follow-up. Official advisories and CVE records should be reviewed to validate affected scope, severity, and vendor guidance.

Vendor
zephyrproject
Product
zephyr
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-30
Original CVE updated
2026-07-17
Advisory published
2026-06-30
Advisory updated
2026-07-17

Who should care

Users of Zephyr versions 4.3.0 and 4.4.0 should be aware of this vulnerability and take necessary actions to mitigate it. Affected operators, platforms, vulnerability-management, and security teams should review the vulnerability and implement necessary controls. Monitoring, detection, and logs for exposed assets should be checked for extra review.

Technical summary

The Zephyr DNS resolver vulnerability occurs in the dns_unpack_answer() function, which does not properly validate the rdlength field of DNS resource records. This allows an attacker to craft a malicious DNS response that causes an out-of-bounds read, potentially leading to information disclosure and denial of service. The vulnerability affects Zephyr versions 4.3.0 and 4.4.0. Users should review compensating controls for exposed systems while remediation is scheduled and verified.

Defensive priority

Medium

Recommended defensive actions

  • Update to Zephyr version 4.4.1 or later
  • Implement network segmentation and isolation
  • Monitor DNS traffic for suspicious activity
  • Use secure DNS protocols and validate DNS responses
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-06-30T17:16:20.040Z and was last modified on 2026-07-17T23:16:35.017Z. The NVD entry is currently Analyzed. The vulnerability affects Zephyr versions 4.3.0 and 4.4.0. Users should verify their deployments and review official advisories for mitigation guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-30T17:16:20.040Z and has not been modified since then. The NVD entry is currently Analyzed.