Skip to main content

Zephyr RTOS EUVDEUVD-2026-43240

| CVE-2026-10663 MEDIUM
Use After Free (CWE-416)
2026-07-12 zephyr
6.1
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
6.1 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
6.1 MEDIUM

AV:P because exploitation strictly requires physical USB access; PR:N since no software credentials are needed to manipulate hardware bus state; C:N as no data is disclosed.

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 12, 2026 - 17:30 vuln.today

DescriptionCVE.org

In Zephyr's experimental USB host stack (CONFIG_USB_HOST_STACK), usbh_device_disconnect() (subsys/usb/host/usbh_device.c) freed the root usb_device slab object without clearing the cached pointer ctx->root. The bus removal handler dev_removed_handler() (subsys/usb/host/usbh_core.c) decides what to tear down solely from ctx->root, checking only that it is non-NULL.

Because UHC controller drivers (e.g. uhc_max3421e, uhc_mcux_common) synthesize UHC_EVT_DEV_REMOVED directly from physical bus line state with no debounce or state guard, an attacker with physical USB access (or a rogue device that bounces its connection) can deliver a second device-removed event after a root device disconnect. The handler then re-enters usbh_device_disconnect() with the dangling pointer, locking a mutex inside the freed object (use-after-free), removing the freed node from the device list, and calling k_mem_slab_free() on the already-freed block (double-free). If the slab block has been reissued to a newly attached device in between, this corrupts a live object.

Impact is denial of service (crash) and memory corruption; the attack vector is physical/local. The flaw was introduced in v4.4.0 by the connect/disconnect refactor and is fixed by clearing ctx->root in usbh_device_disconnect() before freeing.

AnalysisAI

Use-after-free and double-free in Zephyr RTOS's experimental USB host stack (CONFIG_USB_HOST_STACK, introduced in v4.4.0) allows an attacker with physical USB access to crash the target device or corrupt live kernel slab objects by bouncing a USB device connection to trigger a second removal event after the slab has already been freed. The flaw exists because usbh_device_disconnect() frees the root usb_device slab object without clearing the cached ctx->root pointer, and UHC controller drivers (uhc_max3421e, uhc_mcux_common) emit UHC_EVT_DEV_REMOVED directly from hardware line-state with no debounce or re-entry guard. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain physical USB port access
Delivery
Connect rogue USB device with controllable line state
Exploit
First disconnect fires UHC_EVT_DEV_REMOVED; usbh_device_disconnect() frees slab, ctx->root not cleared
Install
Bounce triggers second UHC_EVT_DEV_REMOVED (no debounce in uhc_max3421e/uhc_mcux_common)
C2
dev_removed_handler() dereferences dangling ctx->root
Execute
Mutex locked inside freed object; k_mem_slab_free() called twice
Impact
Kernel crash or live slab object corrupted

Vulnerability AssessmentAI

Exploitation Exploitation requires all three of the following: (1) physical USB port access to the target device, or control of a USB device capable of programmatically bouncing its connection state (e.g., a malicious USB gadget toggling D+/D- line state); (2) the target Zephyr firmware must be compiled with CONFIG_USB_HOST_STACK=y, an experimental Kconfig option that is disabled by default; and (3) the Zephyr version must be 4.4.0 or later, as the vulnerable connect/disconnect refactor was introduced in that release. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.1 (Medium) with AV:P accurately reflects the physical-access requirement, which is the primary risk-limiting factor - remote or network exploitation is not possible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with physical access to a Zephyr-based device (such as an industrial IoT controller or USB hub aggregator) built with CONFIG_USB_HOST_STACK enabled connects a purpose-built rogue USB device capable of rapidly toggling its D+/D- line state. The attacker disconnects the device, which causes usbh_device_disconnect() to free the usb_device slab while leaving ctx->root dangling; a near-immediate reconnect-and-disconnect bounce causes the debounce-free UHC driver to fire a second UHC_EVT_DEV_REMOVED, re-entering the handler with the stale pointer and triggering the use-after-free and double-free. …
Remediation Apply the upstream fix available in commit 4b87a8f161a44cb19505fa97db7cf72f64d49165 (https://github.com/zephyrproject-rtos/zephyr/commit/4b87a8f161a44cb19505fa97db7cf72f64d49165), which resolves the vulnerability by clearing ctx->root in usbh_device_disconnect() before calling k_mem_slab_free(), breaking the dangling-pointer re-entry path. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

EUVD-2026-43240 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy