A critical out-of-bounds write vulnerability in the Zephyr RTOS DNS resolver could allow unauthenticated attackers to compromise affected IoT devices via malicious DNS traffic.

The dns_unpack_name() function incorrectly caches buffer tailroom while appending DNS labels. This leads to an incorrect size calculation as the buffer grows, allowing a final null terminator to be written past the buffer boundaries. An unauthenticated remote attacker can exploit this by sending a malicious DNS response to a device with CONFIG_DNS_RESOLVER enabled.

With a CVSS score of 9.4, this vulnerability poses a severe risk to embedded and IoT systems. Successful exploitation can lead to memory corruption, system crashes, or potentially remote code execution (RCE). In industrial or medical contexts, such a compromise could result in significant operational disruption or safety risks, as the attacker gains control over low-level system memory.

Immediate Action: Update the Zephyr RTOS kernel to the latest version that includes the fix for the DNS unpacking logic.

Proactive Monitoring: Monitor for unusual DNS traffic patterns or frequent crashes of embedded devices that utilize the Zephyr DNS resolver.

Compensating Controls: Use a secure DNS proxy or firewall to inspect and sanitize DNS responses before they reach the affected IoT devices.

Public Exploit Available: false

Organizations deploying devices based on Zephyr RTOS must verify if CONFIG_DNS_RESOLVER is active and apply the necessary kernel updates immediately. Because this vulnerability is triggered by incoming network traffic (DNS responses), it is highly reachable and requires urgent remediation to protect the device fleet.