Skip to main content

Zephyr RTOS EUVDEUVD-2026-43245

| CVE-2026-10668 LOW
Uncontrolled Resource Consumption (CWE-400)
2026-07-12 zephyr
2.4
CVSS 3.1 · Vendor: zephyr

Severity by source

Vendor (zephyr) PRIMARY
2.4 LOW
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
2.4 LOW

Physical USB bus control required (AV:P); attacker needs no privileges on device (PR:N); impact is availability-only and limited to USB function (A:L, C:N, I:N).

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 12, 2026 - 17:20 vuln.today

DescriptionCVE.org

The Nuvoton NuMaker HSUSBD USB device-controller driver (drivers/usb/udc/udc_numaker.c) armed the control Data IN stage unconditionally (base->CEPTXCNT = len in numaker_hsusbd_ep_trigger). Because the HSUSBD hardware cannot disarm a control Data IN already armed for a previous transfer, a USB host that cancels an in-flight control transfer (timeout) and then issues a new SETUP packet can drive the driver out of sync: stale data may be transmitted in the new transfer and the control endpoint can become permanently stuck NAK'ing every subsequent control transfer.

A malicious or buggy host (physical/adjacent attacker driving the bus) can repeatedly cancel-and-re-SETUP to wedge the device's USB control endpoint, denying service to the device's USB function (the device stops enumerating/responding on the control pipe) until a USB reset or re-plug. The flaw is an availability-only denial of service; the FIFO copy loops (bounded by net_buf length and the hardware BUFFULL flag) and the net_buf lifecycle are independent of the arming desync, so there is no out-of-bounds access, use-after-free, or information leak.

The fix monitors the IN-token and new-SETUP events (k_event) and only arms control Data IN when an IN token is present and no new SETUP has arrived, cancelling the current transfer on a new SETUP. Affects boards using the Nuvoton NuMaker HSUSBD controller (CONFIG_UDC_NUMAKER with DT_HAS_NUVOTON_NUMAKER_HSUSBD_ENABLED); shipped in v4.4.0.

AnalysisAI

Denial of service in Zephyr RTOS's Nuvoton NuMaker HSUSBD USB device-controller driver allows a physical or adjacent USB host to permanently wedge the device's USB control endpoint. The driver unconditionally arms the control Data IN stage without accounting for the hardware's inability to disarm an already-armed transfer, so a host that cancels an in-flight control transfer and then re-issues a SETUP packet drives the driver out of sync. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Connect malicious USB host to device port
Delivery
Issue valid SETUP packet to start control transfer
Exploit
Intentionally cancel/timeout in-flight control transfer
Install
Re-issue new SETUP packet immediately
C2
Repeat cancel-and-re-SETUP to desync driver state
Execute
Control endpoint permanently NAKs
Impact
USB function unavailable

Vulnerability AssessmentAI

Exploitation Physical or directly adjacent USB bus control is required - the attacker must be able to drive the USB bus as a USB host connected to the vulnerable device. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is very low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with physical access to a device's USB port connects a malicious or scripted USB host (such as a Facedancer or similar USB exploitation tool) that deliberately times out control transfers and rapidly re-issues SETUP packets. After a small number of cancel-and-re-SETUP cycles, the HSUSBD hardware and driver state become permanently desynchronized, causing the control endpoint to NAK all subsequent control transfers. …
Remediation The upstream fix is available as commit 48e003326873e8bbc0ee4b67334e0dd8b5fb890f in the Zephyr project repository at https://github.com/zephyrproject-rtos/zephyr/commit/48e003326873e8bbc0ee4b67334e0dd8b5fb890f. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

EUVD-2026-43245 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy