PT-2026-53911 · Zephyrproject · Zephyr
Publicado
2026-06-30
·
Atualizado
2026-06-30
·
CVE-2026-10652
CVSS v3.1
4.8
Média
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L |
Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns unpack answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any attacker-declared rdlength, including one extending past the end of the received datagram. The TXT and SRV consumers in dns validate record() (resolve.c) then read up to rdlength bytes (clamped only to a record-type maximum such as DNS MAX TEXT SIZE, default 64, not to the packet) from the receive buffer via memcpy without their own bounds check, and pass the result to the application's resolve callback. A malicious or spoofed DNS server, an on-path attacker forging UDP DNS replies, or (with mDNS/LLMNR enabled) any LAN node can craft a truncated TXT or SRV response that causes an out-of-bounds read of adjacent receive-pool memory; the disclosed stale bytes (residual contents of prior DNS packets / uninitialized pool memory) are returned to the application as TXT/SRV record contents, an information leak, and may in some configurations cross the allocation boundary and fault, causing a denial of service. The read is bounded (~64 bytes for TXT, ~6 for SRV) and read-only (no write). The fix rejects any record whose declared rdata extends past dns msg->msg size at the single chokepoint in dns unpack answer(). Affected: v4.3.0 and v4.4.0.
Exploit
Correção
Out of bounds Read
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Zephyr