Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10656

CVE-2026-10656: Zephyrproject Zephyr DoS Vulnerability

CVE-2026-10656 is a denial of service flaw in Zephyrproject Zephyr's MAX32xxx USB driver that allows attackers to crash devices via NULL pointer dereference. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-10656 Overview

CVE-2026-10656 is a NULL pointer dereference vulnerability in the Zephyr RTOS MAX32xxx USB device controller driver (drivers/usb/udc/udc_max32.c, compatible adi_max32_usbhs). The driver dereferences an endpoint buffer in its OUT and IN transfer-completion handlers without validating it against NULL. A USB host can abort an in-flight EP0 control transfer with a new SETUP packet, causing the endpoint FIFO to drain before the queued XFER_OUT_DONE event is processed. The stale event then triggers net_buf_add(NULL, ...), crashing the device. The defect was introduced when the MAX32 UDC driver shipped in Zephyr v4.4.0. This weakness is categorized under [CWE-476].

Critical Impact

An attacker with physical USB bus access can crash the affected device without authentication, resulting in denial of service on embedded systems running Zephyr.

Affected Products

  • Zephyr Project Zephyr RTOS v4.4.0 and later (prior to patch)
  • Devices using the MAX32xxx USB device controller driver (udc_max32.c)
  • Boards with adi_max32_usbhs compatible USB peripherals

Discovery Timeline

  • 2026-07-05 - CVE-2026-10656 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-10656

Vulnerability Analysis

The flaw resides in the transfer-completion handlers of the MAX32 USB device controller driver. The function udc_event_xfer_out_done() calls net_buf_add(buf, ep_request->actlen) immediately after buf = udc_buf_get(ep_cfg). When the endpoint FIFO is empty, udc_buf_get() returns NULL, but the code proceeds without validation. The same defect exists in the IN-done handler path.

Transfer-completion events are queued from interrupt context and processed asynchronously by the driver thread. Between event queuing and processing, host-controlled control flow can drain the endpoint FIFO. Specifically, udc_setup_received() drains EP0 OUT/IN FIFOs whenever a new SETUP packet arrives, and dequeue, disable, and purge paths behave the same way.

Root Cause

The root cause is the missing NULL check on the buffer returned by udc_buf_get() and udc_buf_peek() in the transfer-completion handlers. The driver assumed the FIFO would always contain a buffer at the time the event is processed, but this assumption breaks under legal USB host behavior that drains the FIFO between event queuing and dispatch.

Attack Vector

Exploitation requires physical access to the USB bus of the target device. A malicious USB host aborts an in-flight EP0 control transfer by issuing a new SETUP packet — a legal USB protocol behavior. This drains the EP0 FIFO before the previously queued XFER_OUT_DONE event is dispatched. When the driver thread processes the stale event, it dereferences a NULL buffer pointer, causing a fault that crashes the device. No authentication or user interaction is required.

c
 	memset(ep_request, 0, sizeof(MXC_USB_Req_t));
 
 	buf = udc_buf_peek(ep_cfg);
-	if (buf == NULL) {
-		LOG_ERR("Failed to peek net_buf for ep 0x%02x", ep_cfg->addr);
+	if (unlikely(buf == NULL)) {
 		return;
 	}

Source: Zephyr Project security patch commit a0d8f78

The patch adds NULL-buffer checks that return early with UDC_EVT_ERROR/-ENOBUFS in both the OUT-done and IN-done handlers.

Detection Methods for CVE-2026-10656

Indicators of Compromise

  • Unexpected device resets or kernel faults on Zephyr-based embedded systems using MAX32xxx USB peripherals
  • Fault logs referencing udc_event_xfer_out_done or net_buf_add on affected boards
  • Repeated USB enumeration failures immediately preceding a device crash

Detection Strategies

  • Audit firmware manifests for Zephyr versions v4.4.0 or later that include udc_max32.c
  • Review USB bus captures for abnormal SETUP packets aborting in-flight EP0 control transfers
  • Instrument device firmware to log NULL buffer conditions in USB endpoint transfer handlers

Monitoring Recommendations

  • Monitor Zephyr device crash and reboot telemetry for patterns correlating with USB host interactions
  • Track supply-chain SBOM data for Zephyr components in shipped devices to identify affected firmware
  • Watch the Zephyr Project security advisories feed for related USB stack defects

How to Mitigate CVE-2026-10656

Immediate Actions Required

  • Apply the upstream Zephyr commit a0d8f786559355fb3b38e34799e1ae491ba9545c to affected firmware trees
  • Rebuild and redeploy firmware for all devices using the adi_max32_usbhs USB controller
  • Restrict physical access to devices running unpatched Zephyr firmware until the fix is deployed

Patch Information

The fix is available in the Zephyr Project repository as commit a0d8f78 referenced in GitHub Security Advisory GHSA-58p9-6mjq-rf2m. The patch adds NULL checks in both the OUT-done and IN-done transfer-completion handlers, returning early with UDC_EVT_ERROR/-ENOBUFS when the endpoint FIFO buffer is empty.

Workarounds

  • Physically secure USB ports on affected devices to prevent untrusted hosts from connecting
  • Disable USB device functionality in Zephyr configuration if not required by the product
  • Deploy tamper-evident enclosures to detect unauthorized USB access attempts
bash
# Fetch and apply the upstream fix
git fetch https://github.com/zephyrproject-rtos/zephyr.git
git cherry-pick a0d8f786559355fb3b38e34799e1ae491ba9545c
west build -b <your_board> -p auto

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.