Zephyr RTOS
CVE-2026-10656
MEDIUM
Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Physical USB bus access required (AV:P); attacker acts as USB host needing no credentials (PR:N); impact is crash only with no confidentiality or integrity effect (A:H, C:N, I:N).
Primary rating from Vendor (zephyr).
CVSS VectorVendor: zephyr
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
The MAX32xxx USB device controller driver (drivers/usb/udc/udc_max32.c, compatible adi_max32_usbhs) dereferenced an endpoint buffer in its OUT and IN transfer-completion handlers without checking it for NULL. udc_event_xfer_out_done() called net_buf_add(buf, ep_request->actlen) immediately after buf = udc_buf_get(ep_cfg), where udc_buf_get() returns NULL when the endpoint FIFO is empty. A transfer-completion event is queued from interrupt context and processed asynchronously by the driver thread; between queuing and processing, the endpoint FIFO can be drained by host-controlled control flow - in particular udc_setup_received() drains the EP0 OUT/IN FIFOs whenever a new SETUP packet arrives, and dequeue/disable/purge paths drain it likewise. A USB host that aborts an in-flight EP0 control transfer with a new SETUP packet (legal USB behavior) can therefore cause a stale XFER_OUT_DONE event to be processed against an empty FIFO, producing net_buf_add(NULL, ...), a near-NULL pointer dereference that faults and crashes the device. No authentication is required; the attacker is the USB host the device is connected to (physical bus access). Impact is denial of service (device crash). The defect was introduced when the MAX32 UDC driver was added and shipped in Zephyr v4.4.0. The fix adds NULL-buffer checks that return early with UDC_EVT_ERROR/-ENOBUFS in both the OUT-done and IN-done handlers.
AnalysisAI
NULL pointer dereference in the Zephyr RTOS MAX32xxx USB device controller driver (udc_max32.c) crashes devices running Zephyr v4.4.0 when a physically connected USB host aborts an in-flight EP0 control transfer by sending a new SETUP packet - a completely legal USB protocol action. The race condition between interrupt-queued transfer-completion events and asynchronous FIFO draining by the driver thread causes net_buf_add(NULL, ...) when udc_buf_get() returns NULL on an empty FIFO, producing a near-NULL pointer dereference and device fault. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Physical USB bus access is the sole prerequisite: the attacker must be the USB host connected to the target device's USB port. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (score 4.6, Medium) accurately characterizes this as a physical-access-only denial-of-service issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with physical access to a device running Zephyr v4.4.0 on MAX32xxx hardware connects a programmable USB host (such as a Facedancer, GreatFET, or even a Linux host with raw USB gadget tools) and initiates an EP0 control transfer to the target device. Before the device driver thread processes the completion event, the attacker sends a new SETUP packet - a valid USB protocol action - which causes udc_setup_received() to drain the EP0 FIFOs, leaving udc_buf_get() returning NULL when the stale XFER_OUT_DONE event is finally processed, triggering net_buf_add(NULL, ...) and crashing the device. … |
| Remediation | Apply the upstream Zephyr fix available at commit a0d8f786559355fb3b38e34799e1ae491ba9545c (https://github.com/zephyrproject-rtos/zephyr/commit/a0d8f786559355fb3b38e34799e1ae491ba9545c), which adds NULL-buffer checks in both udc_event_xfer_out_done() and the IN-done handler that return early with UDC_EVT_ERROR/-ENOBUFS when udc_buf_get() returns NULL. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today