CVE-2026-10657
Summary
by MITRE • 07/06/2026
Zephyr's DNS resolver detects mDNS (.local) queries in dns_resolve_name_internal() (subsys/net/lib/dns/resolve.c) with memcmp(strrchr(query, '.'), ".local", 7), which always reads a fixed 7 bytes from the suffix pointer. When the resolved hostname's final label is shorter than 7 bytes (e.g. names ending in .org, .com, .net, .io, or a trailing dot), the comparison reads 1-2 bytes past the string's NUL terminator. The hostname (query) is the caller-supplied name passed through the standard getaddrinfo()/dns_get_addr_info()/dns_resolve_name() path and is influenceable by operators or remote inputs (server names from configuration, parsed URLs, or app-facing interfaces). On a tightly-sized buffer with no slack (for example a userspace getaddrinfo call where the hostname is copied with k_usermode_string_alloc_copy to exactly strlen+1 bytes), the over-read crosses the allocation boundary; if that boundary is unmapped (guard page, memory-domain boundary under MPU, or an address sanitizer) the over-read faults, causing a denial of service. The over-read bytes are never returned, so there is no information disclosure. The flaw is compiled only when CONFIG_MDNS_RESOLVER is enabled, exists since v1.10.0, and is fixed by replacing the fixed-length memcmp with a NUL-safe strcmp(ptr, ".local").
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/06/2026
The vulnerability resides within zephyrs dns resolver implementation where mDNS queries ending in .local are processed through the dns_resolve_name_internal function located in subsys/net/lib/dns/resolve.c. This function employs a flawed approach to detect .local domain suffixes by utilizing memcmp with strrchr to read exactly seven bytes from the potential suffix pointer, regardless of the actual string length. The technical flaw stems from the assumption that all hostnames ending in .local will have sufficient padding for the fixed 7-byte comparison, but this fails when the final label is shorter than seven characters, creating a buffer over-read condition.
The operational impact of this vulnerability manifests when the resolved hostname's final label contains fewer than seven characters such as those ending in .org, .com, .net, .io, or any other domain suffix that does not match the expected seven-character length of .local. When the system processes these inputs through the standard getaddrinfo() or dns_get_addr_info() pathways, the maliciously crafted hostname can trigger memory access violations. The attacker-controlled input flows from server configuration parameters, parsed web addresses, or application interfaces, making this vector particularly dangerous in networked environments where external inputs are processed.
The vulnerability is specifically triggered when the hostname string is allocated with exact sizing, such as in userspace getaddrinfo calls where k_usermode_string_alloc_copy copies memory with precisely strlen+1 bytes. Under these conditions, the over-read extends beyond the allocated buffer boundary and crosses into unmapped memory regions including guard pages, memory domain boundaries under MPU protection, or address sanitizer memory regions. This causes a segmentation fault and subsequent denial of service condition that completely disrupts the network resolution functionality.
This flaw represents a classic example of improper bounds checking and unsafe string handling patterns that align with CWE-121 stack buffer overflow and CWE-787 out-of-bounds read categories within the Common Weakness Enumeration framework. The vulnerability also maps to ATT&CK technique T1059.007 for command and scripting interpreter, as it could potentially be exploited to craft malicious DNS queries that force service disruption. The issue has existed since zephyr version 1.10.0 and is specifically compiled when CONFIG_MDNS_RESOLVER is enabled, making it a persistent threat in systems utilizing this configuration.
The fix for this vulnerability involves replacing the problematic fixed-length memcmp operation with a NUL-safe strcmp comparison that properly handles variable-length string comparisons. This change eliminates the risk of accessing memory beyond the allocated buffer boundaries while maintaining identical functional behavior for legitimate .local domain queries. The mitigation approach addresses the root cause by ensuring that string comparisons respect the actual string termination rather than assuming fixed-length buffer characteristics, thereby preventing the over-read condition that leads to system denial of service.