Severity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
USB-adjacent trigger (AV:A) with a required timing race (AC:H); no credentials needed from the host side; pure availability impact from permanent deadlock, no data exposure.
Primary rating from Vendor (zephyr).
CVSS VectorVendor: zephyr
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
The USB CDC-NCM device class (subsys/usb/device_next/class/usbd_cdc_ncm.c) ignores the return value of usbd_ep_enqueue() in its ethernet transmit callback cdc_ncm_send(). When the enqueue fails, the function still calls k_sem_take(&data-sync_sem, K_FOREVER), blocking on a completion semaphore that is only ever signaled from the bulk-IN transfer-completion callback. Because nothing was enqueued, that callback never fires and the calling thread - a shared network traffic-class TX thread - deadlocks permanently while holding the interface TX lock, halting transmission until reboot (and leaking the transmit buffer).
The enqueue fails under conditions controlled by the attached USB host: usbd_ep_enqueue() returns -EPERM whenever the bus is suspended (a standard, persistent host operation), and the underlying udc_ep_enqueue() returns -EPERM/-ENODEV on disconnect, bus reset, or endpoint disable. The cdc_ncm_send() guard only checks the DATA_IFACE_ENABLED and IFACE_UP flags, not the suspended state, so a packet transmitted while the host holds the bus suspended reaches the failing enqueue and deadlocks the TX path.
The realistic trigger is a bus suspend that occurs while the exported network interface is active and has traffic to send - host sleep, USB selective/auto-suspend, or hub power management - after which any device-originated packet deadlocks the path, recoverable only by reboot. The impact is a persistent loss of the virtual network connection between the host's NCM interface and the Zephyr device; because the deadlocked thread is a shared traffic-class TX thread, egress on other network interfaces can stall as well. There is no memory corruption or information disclosure.
The defect was introduced with the CDC-NCM driver and shipped in releases through v4.4.0; it is fixed by checking the usbd_ep_enqueue() return value and freeing the buffer before the blocking wait.
AnalysisAI
USB CDC-NCM network driver in Zephyr RTOS through v4.4.0 permanently deadlocks the shared network egress thread when a USB bus suspend coincides with outbound device traffic, requiring a reboot to recover. The defect in cdc_ncm_send() ignores the return value of usbd_ep_enqueue() and unconditionally blocks on a completion semaphore that only the (never-fired) bulk-IN ISR can signal - halting not just CDC-NCM traffic but all egress on other interfaces sharing the TX thread. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three conditions must hold simultaneously: (1) the Zephyr `device_next` USB stack must be compiled with the CDC-NCM device class enabled, and the network interface must be administratively up (IFACE_UP and DATA_IFACE_ENABLED flags set); (2) the USB host must perform a bus suspend - a standard operation during host sleep, USB selective suspend, or hub power management - causing `usbd_ep_enqueue()` to return `-EPERM`; and (3) at least one outbound network packet must arrive at `cdc_ncm_send()` during or immediately after the suspend event, before the driver's interface flags propagate the suspended state. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.3 Medium score accurately reflects the constrained attack surface: AV:A limits exposure to USB-connected or USB-networked adjacency, and AC:H captures the required timing coincidence between active device egress and a host-initiated bus suspend. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A Zephyr-based IoT or embedded device using USB CDC-NCM for host connectivity is transmitting periodic telemetry or keepalive packets. The host OS enters sleep mode or enables USB selective suspend, triggering a standard bus suspend. … |
| Remediation | Apply fix commit 255bccc1badd1aa06c6e5ddf5b40de8463b33f02 (https://github.com/zephyrproject-rtos/zephyr/commit/255bccc1badd1aa06c6e5ddf5b40de8463b33f02), which corrects `cdc_ncm_send()` to check the `usbd_ep_enqueue()` return value and free the transmit buffer before any blocking semaphore wait, eliminating the deadlock path entirely. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-833 – Deadlock
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40235