Skip to main content

Zephyr RTOS EUVDEUVD-2026-40235

| CVE-2026-10647 MEDIUM
Deadlock (CWE-833)
2026-06-29 zephyr
5.3
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
5.3 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.3 MEDIUM

USB-adjacent trigger (AV:A) with a required timing race (AC:H); no credentials needed from the host side; pure availability impact from permanent deadlock, no data exposure.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 22:43 vuln.today

DescriptionCVE.org

The USB CDC-NCM device class (subsys/usb/device_next/class/usbd_cdc_ncm.c) ignores the return value of usbd_ep_enqueue() in its ethernet transmit callback cdc_ncm_send(). When the enqueue fails, the function still calls k_sem_take(&data-sync_sem, K_FOREVER), blocking on a completion semaphore that is only ever signaled from the bulk-IN transfer-completion callback. Because nothing was enqueued, that callback never fires and the calling thread - a shared network traffic-class TX thread - deadlocks permanently while holding the interface TX lock, halting transmission until reboot (and leaking the transmit buffer).

The enqueue fails under conditions controlled by the attached USB host: usbd_ep_enqueue() returns -EPERM whenever the bus is suspended (a standard, persistent host operation), and the underlying udc_ep_enqueue() returns -EPERM/-ENODEV on disconnect, bus reset, or endpoint disable. The cdc_ncm_send() guard only checks the DATA_IFACE_ENABLED and IFACE_UP flags, not the suspended state, so a packet transmitted while the host holds the bus suspended reaches the failing enqueue and deadlocks the TX path.

The realistic trigger is a bus suspend that occurs while the exported network interface is active and has traffic to send - host sleep, USB selective/auto-suspend, or hub power management - after which any device-originated packet deadlocks the path, recoverable only by reboot. The impact is a persistent loss of the virtual network connection between the host's NCM interface and the Zephyr device; because the deadlocked thread is a shared traffic-class TX thread, egress on other network interfaces can stall as well. There is no memory corruption or information disclosure.

The defect was introduced with the CDC-NCM driver and shipped in releases through v4.4.0; it is fixed by checking the usbd_ep_enqueue() return value and freeing the buffer before the blocking wait.

AnalysisAI

USB CDC-NCM network driver in Zephyr RTOS through v4.4.0 permanently deadlocks the shared network egress thread when a USB bus suspend coincides with outbound device traffic, requiring a reboot to recover. The defect in cdc_ncm_send() ignores the return value of usbd_ep_enqueue() and unconditionally blocks on a completion semaphore that only the (never-fired) bulk-IN ISR can signal - halting not just CDC-NCM traffic but all egress on other interfaces sharing the TX thread. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
USB host initiates bus suspend
Delivery
Zephyr device has pending egress packet
Exploit
cdc_ncm_send() passes stale IFACE_UP guard
Execution
usbd_ep_enqueue() returns -EPERM (suspended)
Persist
Thread blocks on semaphore indefinitely
Impact
Shared TX thread deadlocks, all device egress halts

Vulnerability AssessmentAI

Exploitation Three conditions must hold simultaneously: (1) the Zephyr `device_next` USB stack must be compiled with the CDC-NCM device class enabled, and the network interface must be administratively up (IFACE_UP and DATA_IFACE_ENABLED flags set); (2) the USB host must perform a bus suspend - a standard operation during host sleep, USB selective suspend, or hub power management - causing `usbd_ep_enqueue()` to return `-EPERM`; and (3) at least one outbound network packet must arrive at `cdc_ncm_send()` during or immediately after the suspend event, before the driver's interface flags propagate the suspended state. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.3 Medium score accurately reflects the constrained attack surface: AV:A limits exposure to USB-connected or USB-networked adjacency, and AC:H captures the required timing coincidence between active device egress and a host-initiated bus suspend. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A Zephyr-based IoT or embedded device using USB CDC-NCM for host connectivity is transmitting periodic telemetry or keepalive packets. The host OS enters sleep mode or enables USB selective suspend, triggering a standard bus suspend. …
Remediation Apply fix commit 255bccc1badd1aa06c6e5ddf5b40de8463b33f02 (https://github.com/zephyrproject-rtos/zephyr/commit/255bccc1badd1aa06c6e5ddf5b40de8463b33f02), which corrects `cdc_ncm_send()` to check the `usbd_ep_enqueue()` return value and free the transmit buffer before any blocking semaphore wait, eliminating the deadlock path entirely. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

EUVD-2026-40235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy