What is CVE-2026-1678?

CVE-2026-1678 is a critical-severity vulnerability in Zephyrproject-rtos Zephyr, classified under Out-of-bounds Write. CVSS score: 9.4/10. Published 2026-03-05.

How severe is CVE-2026-1678?

Critical severity. CVSS v3 base score is 9.4 out of 10.

Buffer overflow in Zephyrproject-rtos Zephyr

CVE-2026-1678

dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (def…

Vulnerability class: Buffer Overflow

EPSS: 0.001 (24.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.4 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H.

Affected products

Zephyrproject-rtos Zephyr

Weakness classification (CWE)

CWE-787 — Out-of-bounds Write

References

github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42

Frequently asked questions

What is CVE-2026-1678?: CVE-2026-1678 is a critical-severity vulnerability in Zephyrproject-rtos Zephyr, classified under Out-of-bounds Write. CVSS score: 9.4/10. Published 2026-03-05.
How severe is CVE-2026-1678?: Critical severity. CVSS v3 base score is 9.4 out of 10.