Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
AV:P because exploitation strictly requires physical USB access; PR:N since no software credentials are needed to manipulate hardware bus state; C:N as no data is disclosed.
Primary rating from Vendor (zephyr).
CVSS VectorVendor: zephyr
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
In Zephyr's experimental USB host stack (CONFIG_USB_HOST_STACK), usbh_device_disconnect() (subsys/usb/host/usbh_device.c) freed the root usb_device slab object without clearing the cached pointer ctx->root. The bus removal handler dev_removed_handler() (subsys/usb/host/usbh_core.c) decides what to tear down solely from ctx->root, checking only that it is non-NULL.
Because UHC controller drivers (e.g. uhc_max3421e, uhc_mcux_common) synthesize UHC_EVT_DEV_REMOVED directly from physical bus line state with no debounce or state guard, an attacker with physical USB access (or a rogue device that bounces its connection) can deliver a second device-removed event after a root device disconnect. The handler then re-enters usbh_device_disconnect() with the dangling pointer, locking a mutex inside the freed object (use-after-free), removing the freed node from the device list, and calling k_mem_slab_free() on the already-freed block (double-free). If the slab block has been reissued to a newly attached device in between, this corrupts a live object.
Impact is denial of service (crash) and memory corruption; the attack vector is physical/local. The flaw was introduced in v4.4.0 by the connect/disconnect refactor and is fixed by clearing ctx->root in usbh_device_disconnect() before freeing.
AnalysisAI
Use-after-free and double-free in Zephyr RTOS's experimental USB host stack (CONFIG_USB_HOST_STACK, introduced in v4.4.0) allows an attacker with physical USB access to crash the target device or corrupt live kernel slab objects by bouncing a USB device connection to trigger a second removal event after the slab has already been freed. The flaw exists because usbh_device_disconnect() frees the root usb_device slab object without clearing the cached ctx->root pointer, and UHC controller drivers (uhc_max3421e, uhc_mcux_common) emit UHC_EVT_DEV_REMOVED directly from hardware line-state with no debounce or re-entry guard. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all three of the following: (1) physical USB port access to the target device, or control of a USB device capable of programmatically bouncing its connection state (e.g., a malicious USB gadget toggling D+/D- line state); (2) the target Zephyr firmware must be compiled with CONFIG_USB_HOST_STACK=y, an experimental Kconfig option that is disabled by default; and (3) the Zephyr version must be 4.4.0 or later, as the vulnerable connect/disconnect refactor was introduced in that release. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 6.1 (Medium) with AV:P accurately reflects the physical-access requirement, which is the primary risk-limiting factor - remote or network exploitation is not possible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with physical access to a Zephyr-based device (such as an industrial IoT controller or USB hub aggregator) built with CONFIG_USB_HOST_STACK enabled connects a purpose-built rogue USB device capable of rapidly toggling its D+/D- line state. The attacker disconnects the device, which causes usbh_device_disconnect() to free the usb_device slab while leaving ctx->root dangling; a near-immediate reconnect-and-disconnect bounce causes the debounce-free UHC driver to fire a second UHC_EVT_DEV_REMOVED, re-entering the handler with the stale pointer and triggering the use-after-free and double-free. … |
| Remediation | Apply the upstream fix available in commit 4b87a8f161a44cb19505fa97db7cf72f64d49165 (https://github.com/zephyrproject-rtos/zephyr/commit/4b87a8f161a44cb19505fa97db7cf72f64d49165), which resolves the vulnerability by clearing ctx->root in usbh_device_disconnect() before calling k_mem_slab_free(), breaking the dangling-pointer re-entry path. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43240