PatchSiren cyber security CVE debrief
CVE-2026-10657 Zephyrproject CVE debrief
A low-severity denial of service vulnerability exists in Zephyr's DNS resolver. The vulnerability occurs when the DNS resolver detects mDNS (.local) queries and performs a fixed-length comparison that can read beyond the string's NUL terminator, potentially causing a fault when the hostname's final label is shorter than 7 bytes. This can happen when the resolved hostname's final label is shorter than 7 bytes, such as names ending in .org, .com, .net, .io, or a trailing dot. The over-read bytes are never returned, so there is no information disclosure. The flaw is compiled only when CONFIG_MDNS_RESOLVER is enabled, exists since v1.10.0, and is fixed by replacing the fixed-length memcmp with a NUL-safe strcmp.
- Vendor
- Zephyrproject
- Product
- Zephyr RTOS
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-05
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-05
- Advisory updated
- 2026-07-08
Who should care
Operators and developers using Zephyr's DNS resolver, particularly those with CONFIG_MDNS_RESOLVER enabled, should be aware of this vulnerability and take steps to defend against it. This includes reviewing and updating Zephyr configurations, implementing careful handling of DNS queries and hostname lengths, and applying patches or updates provided by Zephyr.
Technical summary
The vulnerability is caused by a fixed-length memcmp in dns_resolve_name_internal() that reads 7 bytes from the suffix pointer, potentially reading beyond the string's NUL terminator when the hostname's final label is shorter than 7 bytes. This can cause a denial of service when the over-read crosses an allocation boundary and faults. The vulnerability exists since Zephyr version 1.10.0 and is fixed by replacing the fixed-length memcmp with a NUL-safe strcmp. The CVE record was published on 2026-07-05T23:16:52.863Z and last modified on 2026-07-08T14:55:01.560Z.
Defensive priority
Low-severity denial of service vulnerability requires careful handling of DNS queries and hostname lengths, with priority on patching and compensating controls for exposed systems.
Recommended defensive actions
- Review and update Zephyr configurations to ensure CONFIG_MDNS_RESOLVER is not enabled unnecessarily.
- Implement careful handling of DNS queries and hostname lengths to prevent faults.
- Apply patches or updates provided by Zephyr to fix the vulnerability.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The vulnerability exists since Zephyr version 1.10.0 and is fixed by replacing the fixed-length memcmp with a NUL-safe strcmp. The CVE record was published on 2026-07-05T23:16:52.863Z and last modified on 2026-07-08T14:55:01.560Z. Evidence is limited to public statements from Zephyr and CVE.org. Defenders should verify patch application and review system configurations for CONFIG_MDNS_RESOLVER.
Official resources
-
CVE-2026-10657 CVE record
CVE.org
-
CVE-2026-10657 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Patch, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-05T23:16:52.863Z and has not been modified since then.