Zephyr's DNS resolver detects mDNS (.local) queries in dnsresolvenameinternal() (subsys/net/lib/dns/resolve.c) with memcmp(strrchr(query, '.'), ".local", 7), which always reads a fixed 7 bytes from the suffix pointer. When the resolved hostname's final label is shorter than 7 bytes (e.g. names ending in .org, .com, .net, .io, or a trailing dot), the comparison reads 1-2 bytes past the string's NUL terminator. The hostname (query) is the caller-supplied name passed through the standard getaddrinfo()/dnsgetaddrinfo()/dnsresolvename() path and is influenceable by operators or remote inputs (server names from configuration, parsed URLs, or app-facing interfaces). On a tightly-sized buffer with no slack (for example a userspace getaddrinfo call where the hostname is copied with kusermodestringalloccopy to exactly strlen+1 bytes), the over-read crosses the allocation boundary; if that boundary is unmapped (guard page, memory-domain boundary under MPU, or an address sanitizer) the over-read faults, causing a denial of service. The over-read bytes are never returned, so there is no information disclosure. The flaw is compiled only when CONFIGMDNSRESOLVER is enabled, exists since v1.10.0, and is fixed by replacing the fixed-length memcmp with a NUL-safe strcmp(ptr, ".local").
{
"cna_assigner": "zephyr",
"cwe_ids": [
"CWE-125"
],
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "1.10.0"
},
{
"fixed": "4.5.0"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10657.json"
}"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10657.json"
[
{
"id": "CVE-2026-10657-44961b50",
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/zephyrproject-rtos/zephyr/commit/448a21da12c9ea28f7fd12c6894e03a987b17a27",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"217076341147707283209980226696780142350",
"237695844914287379872897322649849518610",
"27488736658733500899981221458907867403",
"274721795573038378855851890461020493048"
]
},
"target": {
"file": "subsys/net/lib/dns/resolve.c"
}
},
{
"id": "CVE-2026-10657-bda56889",
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/zephyrproject-rtos/zephyr/commit/448a21da12c9ea28f7fd12c6894e03a987b17a27",
"deprecated": false,
"digest": {
"function_hash": "73264003649189573634478034123432306279",
"length": 6401.0
},
"target": {
"function": "dns_resolve_name_internal",
"file": "subsys/net/lib/dns/resolve.c"
}
}
]
"2026-07-15T06:09:50Z"