CVE-2026-10647

Name of the Vulnerable Software and Affected Versions Zephyr versions prior to 4.4.0

Description The USB CDC-NCM device class contains a flaw where the cdc ncm send() function ignores the return value of usbd ep enqueue(). If the enqueue operation fails—which occurs when the USB bus is suspended, disconnected, reset, or the endpoint is disabled—the system attempts to take a completion semaphore using k sem take(&data-sync sem, K FOREVER). Since no data was enqueued, the callback required to signal the semaphore never triggers, causing the shared network traffic-class TX thread to deadlock while holding the interface TX lock. This results in a permanent halt of transmissions and a transmit buffer leak, recoverable only via reboot. This issue leads to a persistent loss of the virtual network connection and may stall egress on other network interfaces.

Recommendations Update to version 4.4.0 or later to ensure the return value of usbd ep enqueue() is checked and buffers are freed before the blocking wait.