Critical 9.4 CVSS Zephyr RTOS Flaw Exposes Millions of IoT Devices to RCE

Security researchers have disclosed a critical memory-safety vulnerability in the Zephyr Project, a high-profile, scalable real-time operating system (RTOS) designed for resource-constrained IoT devices. The flaw, tracked as CVE-2026-1678 with a CVSS score of 9.4, could allow unauthenticated remote attackers to achieve code execution on devices ranging from smartwatches to industrial wireless gateways.

Zephyr is widely regarded as a “security-first” RTOS, supported by major hardware architectures and used in millions of embedded sensors and wearables.

The vulnerability resides in the dns_unpack_name() function, located within the system’s DNS packing library. The issue stems from an improper handling of buffer sizes during the parsing of DNS responses.

When the function begins, it snapshots the available buffer space (dest_size). However, as the parser appends name labels to the buffer, the length of the buffer grows, but the dest_size variable is never updated.

Because the system relies on this stale boundary, it fails to realize when it has run out of space. Specifically, the final null terminator is written to the buffer without a fresh check, leading to an out-of-bounds write.

The vulnerability is particularly potent because Zephyr’s safety assertions (CONFIG_ASSERT) are disabled by default in production builds. Without these assertions, the code performs unchecked writes rather than triggering a safe system halt.

The impact of this flaw is severe due to its reach and ease of exploitation:

• An attacker can trigger the vulnerability simply by sending a crafted DNS response to a device running a vulnerable Zephyr application.
• By driving an out-of-bounds write of approximately 100–200 bytes of attacker-controlled data, a hacker could potentially achieve Remote Code Execution (RCE) depending on the device’s memory layout.
• Any Zephyr build that enables the DNS resolver (CONFIG_DNS_RESOLVER) using default assertion settings is considered vulnerable.

Researchers demonstrated that the textual name length in a DNS message can easily exceed the default 255-byte buffer while remaining within the allowed 512-byte message size. By sending a response with repeated 63-byte labels, an attacker can advance the buffer length beyond its actual capacity, overwriting critical adjacent memory.

Developers and manufacturers using the Zephyr Project should take immediate action:

• Apply Patches: Update your Zephyr OS distribution to the latest version where dns_unpack_name() has been hardened with fresh tailroom checks for every write.
• Enable Assertions: For critical infrastructure or security-sensitive devices, consider enabling CONFIG_ASSERT=y to ensure the system halts safely if a memory boundary is violated.
• Adjust Buffer Sizes: Review CONFIG_DNS_RESOLVER_MAX_QUERY_LEN to ensure your buffer sizes are appropriately scaled for the types of network traffic your device expects.