PT-2026-55828 · Zephyrproject · Zephyr

Publicado

2026-07-05

·

Atualizado

2026-07-05

·

CVE-2026-10656

CVSS v3.1

4.6

Média

VetorAV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
The MAX32xxx USB device controller driver (drivers/usb/udc/udc max32.c, compatible adi max32 usbhs) dereferenced an endpoint buffer in its OUT and IN transfer-completion handlers without checking it for NULL. udc event xfer out done() called net buf add(buf, ep request->actlen) immediately after buf = udc buf get(ep cfg), where udc buf get() returns NULL when the endpoint FIFO is empty. A transfer-completion event is queued from interrupt context and processed asynchronously by the driver thread; between queuing and processing, the endpoint FIFO can be drained by host-controlled control flow — in particular udc setup received() drains the EP0 OUT/IN FIFOs whenever a new SETUP packet arrives, and dequeue/disable/purge paths drain it likewise. A USB host that aborts an in-flight EP0 control transfer with a new SETUP packet (legal USB behavior) can therefore cause a stale XFER OUT DONE event to be processed against an empty FIFO, producing net buf add(NULL, ...), a near-NULL pointer dereference that faults and crashes the device. No authentication is required; the attacker is the USB host the device is connected to (physical bus access). Impact is denial of service (device crash). The defect was introduced when the MAX32 UDC driver was added and shipped in Zephyr v4.4.0. The fix adds NULL-buffer checks that return early with UDC EVT ERROR/-ENOBUFS in both the OUT-done and IN-done handlers.

Correção

NULL Pointer Dereference

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-10656

Produtos afetados

Zephyr