PT-2026-57565 · Zephyrproject · Zephyr

Publicado

2026-07-12

·

Atualizado

2026-07-12

·

CVE-2026-10663

CVSS v3.1

6.1

Média

VetorAV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
In Zephyr's experimental USB host stack (CONFIG USB HOST STACK), usbh device disconnect() (subsys/usb/host/usbh device.c) freed the root usb device slab object without clearing the cached pointer ctx->root. The bus removal handler dev removed handler() (subsys/usb/host/usbh core.c) decides what to tear down solely from ctx->root, checking only that it is non-NULL.
Because UHC controller drivers (e.g. uhc max3421e, uhc mcux common) synthesize UHC EVT DEV REMOVED directly from physical bus line state with no debounce or state guard, an attacker with physical USB access (or a rogue device that bounces its connection) can deliver a second device-removed event after a root device disconnect. The handler then re-enters usbh device disconnect() with the dangling pointer, locking a mutex inside the freed object (use-after-free), removing the freed node from the device list, and calling k mem slab free() on the already-freed block (double-free). If the slab block has been reissued to a newly attached device in between, this corrupts a live object.
Impact is denial of service (crash) and memory corruption; the attack vector is physical/local. The flaw was introduced in v4.4.0 by the connect/disconnect refactor and is fixed by clearing ctx->root in usbh device disconnect() before freeing.

Correção

Use After Free

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-10663

Produtos afetados

Zephyr