Skip to main content

Zephyr RTOS CVE-2026-10656

MEDIUM
NULL Pointer Dereference (CWE-476)
2026-07-05 zephyr
4.6
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
4.6 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.6 MEDIUM

Physical USB bus access required (AV:P); attacker acts as USB host needing no credentials (PR:N); impact is crash only with no confidentiality or integrity effect (A:H, C:N, I:N).

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 23:17 vuln.today

DescriptionCVE.org

The MAX32xxx USB device controller driver (drivers/usb/udc/udc_max32.c, compatible adi_max32_usbhs) dereferenced an endpoint buffer in its OUT and IN transfer-completion handlers without checking it for NULL. udc_event_xfer_out_done() called net_buf_add(buf, ep_request->actlen) immediately after buf = udc_buf_get(ep_cfg), where udc_buf_get() returns NULL when the endpoint FIFO is empty. A transfer-completion event is queued from interrupt context and processed asynchronously by the driver thread; between queuing and processing, the endpoint FIFO can be drained by host-controlled control flow - in particular udc_setup_received() drains the EP0 OUT/IN FIFOs whenever a new SETUP packet arrives, and dequeue/disable/purge paths drain it likewise. A USB host that aborts an in-flight EP0 control transfer with a new SETUP packet (legal USB behavior) can therefore cause a stale XFER_OUT_DONE event to be processed against an empty FIFO, producing net_buf_add(NULL, ...), a near-NULL pointer dereference that faults and crashes the device. No authentication is required; the attacker is the USB host the device is connected to (physical bus access). Impact is denial of service (device crash). The defect was introduced when the MAX32 UDC driver was added and shipped in Zephyr v4.4.0. The fix adds NULL-buffer checks that return early with UDC_EVT_ERROR/-ENOBUFS in both the OUT-done and IN-done handlers.

AnalysisAI

NULL pointer dereference in the Zephyr RTOS MAX32xxx USB device controller driver (udc_max32.c) crashes devices running Zephyr v4.4.0 when a physically connected USB host aborts an in-flight EP0 control transfer by sending a new SETUP packet - a completely legal USB protocol action. The race condition between interrupt-queued transfer-completion events and asynchronous FIFO draining by the driver thread causes net_buf_add(NULL, ...) when udc_buf_get() returns NULL on an empty FIFO, producing a near-NULL pointer dereference and device fault. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain physical USB port access
Delivery
Connect programmable USB host to target device
Exploit
Initiate EP0 control transfer
Install
Send new SETUP packet to abort transfer (legal USB behavior)
C2
EP0 FIFO drained before driver thread processes stale XFER_DONE event
Execute
net_buf_add(NULL) triggers near-NULL pointer dereference
Impact
Device crash and reset

Vulnerability AssessmentAI

Exploitation Physical USB bus access is the sole prerequisite: the attacker must be the USB host connected to the target device's USB port. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (score 4.6, Medium) accurately characterizes this as a physical-access-only denial-of-service issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with physical access to a device running Zephyr v4.4.0 on MAX32xxx hardware connects a programmable USB host (such as a Facedancer, GreatFET, or even a Linux host with raw USB gadget tools) and initiates an EP0 control transfer to the target device. Before the device driver thread processes the completion event, the attacker sends a new SETUP packet - a valid USB protocol action - which causes udc_setup_received() to drain the EP0 FIFOs, leaving udc_buf_get() returning NULL when the stale XFER_OUT_DONE event is finally processed, triggering net_buf_add(NULL, ...) and crashing the device. …
Remediation Apply the upstream Zephyr fix available at commit a0d8f786559355fb3b38e34799e1ae491ba9545c (https://github.com/zephyrproject-rtos/zephyr/commit/a0d8f786559355fb3b38e34799e1ae491ba9545c), which adds NULL-buffer checks in both udc_event_xfer_out_done() and the IN-done handler that return early with UDC_EVT_ERROR/-ENOBUFS when udc_buf_get() returns NULL. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10656 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy