CVE-2026-10656: memory-safety in zephyrproject zephyr
The MAX32xxx USB device controller driver (drivers/usb/udc/udc_max32.c, compatible adi_max32_usbhs) dereferenced an endpoint buffer in its OUT and IN transfer-completion handlers without checking it for NULL. udc_event_xfer_out_done() called net_buf_add(buf, ep_request->actlen) immediately after buf = udc_buf_get(ep_cfg), where udc_buf_get() returns NULL when the endpoint FIFO is empty. A transfer-completion event is queued from interrupt context and processed asynchronously by the driver thread; between queuing and processing, the endpoint FIFO can be drained by host-controlled control flow — in particular udc_setup_received() drains the EP0 OUT/IN FIFOs whenever a new SETUP packet arrives, and dequeue/disable/purge paths drain it likewise. A USB host that aborts an in-flight EP0 control transfer with a new SETUP packet (legal USB behavior) can therefore cause a stale XFER_OUT_DONE event to be processed against an empty FIFO, producing net_buf_add(NULL, ...), a near-NULL pointer dereference that faults and crashes the device. No authentication is required; the attacker is the USB host the device is connected to (physical bus access). Impact is denial of service (device crash). The defect was introduced when the MAX32 UDC driver was added and shipped in Zephyr v4.4.0. The fix adds NULL-buffer checks that return early with UDC_EVT_ERROR/-ENOBUFS in both the OUT-done and IN-done handlers.
AI Analysis
Technical Summary
The MAX32xxx USB device controller driver (drivers/usb/udc/udc_max32.c) in Zephyr OS dereferences an endpoint buffer without checking for NULL in its OUT and IN transfer-completion handlers. Specifically, udc_event_xfer_out_done() calls net_buf_add(buf, ep_request->actlen) immediately after buf = udc_buf_get(ep_cfg), but udc_buf_get() can return NULL if the endpoint FIFO is empty. Because transfer-completion events are queued from interrupt context and processed asynchronously, a USB host can drain the FIFO by sending a new SETUP packet, causing a stale event to be processed with a NULL buffer pointer. This results in a near-NULL pointer dereference that crashes the device. The vulnerability was introduced in Zephyr v4.4.0 with the addition of the MAX32 UDC driver. The fix involves adding NULL-buffer checks that return early with an error code in the OUT-done and IN-done handlers.
Potential Impact
An attacker with physical USB bus access (the USB host) can cause the affected device to crash by sending a new SETUP packet to abort an in-flight control transfer. This leads to a denial of service condition due to a NULL pointer dereference in the USB device controller driver. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The fix described involves adding NULL-buffer checks in the transfer-completion handlers to prevent dereferencing NULL pointers. Until a patch is available, avoid connecting the device to untrusted USB hosts or physically restrict USB host access to prevent exploitation.
CVE-2026-10656: memory-safety in zephyrproject zephyr
Description
The MAX32xxx USB device controller driver (drivers/usb/udc/udc_max32.c, compatible adi_max32_usbhs) dereferenced an endpoint buffer in its OUT and IN transfer-completion handlers without checking it for NULL. udc_event_xfer_out_done() called net_buf_add(buf, ep_request->actlen) immediately after buf = udc_buf_get(ep_cfg), where udc_buf_get() returns NULL when the endpoint FIFO is empty. A transfer-completion event is queued from interrupt context and processed asynchronously by the driver thread; between queuing and processing, the endpoint FIFO can be drained by host-controlled control flow — in particular udc_setup_received() drains the EP0 OUT/IN FIFOs whenever a new SETUP packet arrives, and dequeue/disable/purge paths drain it likewise. A USB host that aborts an in-flight EP0 control transfer with a new SETUP packet (legal USB behavior) can therefore cause a stale XFER_OUT_DONE event to be processed against an empty FIFO, producing net_buf_add(NULL, ...), a near-NULL pointer dereference that faults and crashes the device. No authentication is required; the attacker is the USB host the device is connected to (physical bus access). Impact is denial of service (device crash). The defect was introduced when the MAX32 UDC driver was added and shipped in Zephyr v4.4.0. The fix adds NULL-buffer checks that return early with UDC_EVT_ERROR/-ENOBUFS in both the OUT-done and IN-done handlers.
CVSS v3.1
Score 4.6medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The MAX32xxx USB device controller driver (drivers/usb/udc/udc_max32.c) in Zephyr OS dereferences an endpoint buffer without checking for NULL in its OUT and IN transfer-completion handlers. Specifically, udc_event_xfer_out_done() calls net_buf_add(buf, ep_request->actlen) immediately after buf = udc_buf_get(ep_cfg), but udc_buf_get() can return NULL if the endpoint FIFO is empty. Because transfer-completion events are queued from interrupt context and processed asynchronously, a USB host can drain the FIFO by sending a new SETUP packet, causing a stale event to be processed with a NULL buffer pointer. This results in a near-NULL pointer dereference that crashes the device. The vulnerability was introduced in Zephyr v4.4.0 with the addition of the MAX32 UDC driver. The fix involves adding NULL-buffer checks that return early with an error code in the OUT-done and IN-done handlers.
Potential Impact
An attacker with physical USB bus access (the USB host) can cause the affected device to crash by sending a new SETUP packet to abort an in-flight control transfer. This leads to a denial of service condition due to a NULL pointer dereference in the USB device controller driver. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The fix described involves adding NULL-buffer checks in the transfer-completion handlers to prevent dereferencing NULL pointers. Until a patch is available, avoid connecting the device to untrusted USB hosts or physically restrict USB host access to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-06-02T15:24:30.893Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4ae01927e9c79719f4564f
Added to database: 07/05/2026, 22:52:09 UTC
Last enriched: 07/05/2026, 23:06:36 UTC
Last updated: 07/06/2026, 01:57:22 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.