CVE-2026-10652
published 2026-06-30CVE-2026-10652: Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type…
PriorityP423medium4.8CVSS 3.1
AVNACHPRNUINSUCLINAL
EPSS
0.20%
10.4th percentile
Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any attacker-declared rdlength, including one extending past the end of the received datagram. The TXT and SRV consumers in dns_validate_record() (resolve.c) then read up to rdlength bytes (clamped only to a record-type maximum such as DNS_MAX_TEXT_SIZE, default 64, not to the packet) from the receive buffer via memcpy without their own bounds check, and pass the result to the application's resolve callback. A malicious or spoofed DNS server, an on-path attacker forging UDP DNS replies, or (with mDNS/LLMNR enabled) any LAN node can craft a truncated TXT or SRV response that causes an out-of-bounds read of adjacent receive-pool memory; the disclosed stale bytes (residual contents of prior DNS packets / uninitialized pool memory) are returned to the application as TXT/SRV record contents, an information leak, and may in some configurations cross the allocation boundary and fault, causing a denial of service. The read is bounded (~64 bytes for TXT, ~6 for SRV) and read-only (no write). The fix rejects any record whose declared rdata extends past dns_msg->msg_size at the single chokepoint in dns_unpack_answer(). Affected: v4.3.0 and v4.4.0.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zephyrproject | zephyr | >= 4.3.0 < 4.5.0 | 4.5.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
zephyrproject zephyr up to 4.4.x dns_unpack_answer msg_size out-of-bounds (GHSA-3jxq-xx8g-q8j2)
vuldb·2026-06-30·CVSS 4.8
CVE-2026-10652 [MEDIUM] zephyrproject zephyr up to 4.4.x dns_unpack_answer msg_size out-of-bounds (GHSA-3jxq-xx8g-q8j2)
A vulnerability classified as critical was found in zephyrproject zephyr up to 4.4.x. This impacts the function dns_unpack_answer. Executing a manipulation of the argument msg_size can lead to out-of-bounds read.
This vulnerability appears as CVE-2026-10652. The attack may be performed from remote. There is no available exploit.
Upgrading the affected component is advised.
Citrix
Citrix Security Bulletin CTX234879
vendor_citrix·CVSS 9.8
CVE-2018-10648 [CRITICAL] Citrix Security Bulletin CTX234879
Citrix Security Bulletin CTX234879
CVE References: CVE-2018-10648, CVE-2018-10649, CVE-2018-10650, CVE-2018-10651, CVE-2018-10652, CVE-2018-10653, CVE-2018-10654, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-30
Published