CVE-2026-10647 Overview
CVE-2026-10647 is a denial-of-service vulnerability in the Zephyr real-time operating system's USB Communications Device Class Network Control Model (CDC-NCM) driver. The defect resides in subsys/usb/device_next/class/usbd_cdc_ncm.c, where the cdc_ncm_send() function ignores the return value of usbd_ep_enqueue(). When enqueue fails during a USB bus suspend, the transmit thread blocks indefinitely on a semaphore that will never be signaled. The deadlock halts the virtual network interface and can stall egress on other network interfaces sharing the traffic-class TX thread. Recovery requires a device reboot. The flaw affects Zephyr releases through v4.4.0 and is tracked as [CWE-833] Deadlock and [CWE-667] Improper Locking.
Critical Impact
A USB host that suspends the bus while the CDC-NCM interface has pending traffic can permanently deadlock the Zephyr device's network TX path, requiring a reboot to restore connectivity.
Affected Products
- Zephyr RTOS versions through v4.4.0
- Devices using the USB CDC-NCM device class (usbd_cdc_ncm.c)
- Zephyr-based embedded systems exposing a USB network interface to a host
Discovery Timeline
- 2026-06-29 - CVE-2026-10647 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-10647
Vulnerability Analysis
The CDC-NCM ethernet transmit callback cdc_ncm_send() submits a bulk-IN transfer via usbd_ep_enqueue() and then waits on k_sem_take(&data->sync_sem, K_FOREVER). The completion semaphore is only signaled by the bulk-IN transfer-completion callback. When usbd_ep_enqueue() fails, no transfer is registered, so the callback never fires and the wait becomes unbounded. The calling thread is a shared network traffic-class TX thread that holds the interface TX lock during the wait. Any subsequent packet on the deadlocked path — and egress on other interfaces sharing the TX thread — stalls until the device reboots. The transmit buffer allocated for the failed send is also leaked.
Root Cause
The function guards entry using only the DATA_IFACE_ENABLED and IFACE_UP flags. It does not check whether the USB bus is suspended. usbd_ep_enqueue() returns -EPERM when the bus is suspended, and the underlying udc_ep_enqueue() returns -EPERM or -ENODEV on disconnect, bus reset, or endpoint disable. Ignoring these return codes while unconditionally waiting on the completion semaphore violates the pairing between transfer submission and completion notification.
Attack Vector
Exploitation requires adjacent-network access via USB. A host holding the bus in suspend — through host sleep, USB selective or auto-suspend, or hub power management — while the Zephyr device attempts to transmit a packet is sufficient to trigger the deadlock. No authentication or user interaction on the device is required. The condition is reachable during ordinary host power-management behavior and does not require a malicious host.
size_t len = net_pkt_get_len(pkt);
struct net_buf *buf;
union send_ntb *ntb;
+ int ret;
if (len > NET_ETH_MAX_FRAME_SIZE) {
LOG_WRN("Trying to send too large packet, drop");
Source: Zephyr commit 255bccc1 — the patch introduces a ret variable to capture the usbd_ep_enqueue() return value and frees the buffer before the blocking wait when enqueue fails.
Detection Methods for CVE-2026-10647
Indicators of Compromise
- Sudden and persistent loss of the CDC-NCM virtual network link between a USB host and a Zephyr-based device following host sleep or USB suspend events.
- Zephyr network TX thread blocked in k_sem_take on the CDC-NCM sync_sem, with the interface TX lock held.
- Stalled egress on unrelated network interfaces that share the Zephyr traffic-class TX thread.
Detection Strategies
- Instrument Zephyr builds with thread-state logging or CONFIG_THREAD_ANALYZER to identify TX threads stuck in an indefinite semaphore wait.
- Monitor USB host logs for suspend and resume cycles correlated with device network connectivity loss.
- Track transmit buffer pool utilization for signs of a leaked buffer following suspend events.
Monitoring Recommendations
- Alert on Zephyr device network interfaces that stop transmitting immediately after a documented USB suspend transition.
- Watch for repeated device reboots on fleets of embedded devices connected via USB CDC-NCM.
- Correlate host-side power-management events (selective suspend, hub power gating) with device-side network outages.
How to Mitigate CVE-2026-10647
Immediate Actions Required
- Upgrade Zephyr to a release containing commit 255bccc1badd1aa06c6e5ddf5b40de8463b33f02, which checks the usbd_ep_enqueue() return value.
- Inventory embedded devices running Zephyr versions through v4.4.0 that expose a USB CDC-NCM interface.
- Where patching is not immediately possible, restrict deployments to hosts with USB suspend disabled.
Patch Information
The fix is available in the upstream Zephyr repository via commit 255bccc1 and documented in GHSA-xcf7-r86m-5q9f. The patch captures the return value of usbd_ep_enqueue(), frees the allocated buffer on failure, and skips the blocking k_sem_take call, preventing the deadlock.
Workarounds
- Disable USB selective suspend and auto-suspend on the connected host for affected Zephyr devices.
- Disable hub power management on USB hubs upstream of the device.
- Avoid host sleep states while the CDC-NCM interface is expected to carry traffic.
- Implement a device-side watchdog that reboots the device when the TX path stalls for a defined interval.
# Linux host workaround: disable USB autosuspend for the CDC-NCM device
# Replace VID:PID with the vendor/product ID of the Zephyr device
echo -1 | sudo tee /sys/bus/usb/devices/<device>/power/autosuspend_delay_ms
echo on | sudo tee /sys/bus/usb/devices/<device>/power/control
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

