PT-2026-57565 · Zephyrproject · Zephyr

Published

2026-07-12

·

Updated

2026-07-12

·

CVE-2026-10663

CVSS v3.1

6.1

Medium

VectorAV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
In Zephyr's experimental USB host stack (CONFIG USB HOST STACK), usbh device disconnect() (subsys/usb/host/usbh device.c) freed the root usb device slab object without clearing the cached pointer ctx->root. The bus removal handler dev removed handler() (subsys/usb/host/usbh core.c) decides what to tear down solely from ctx->root, checking only that it is non-NULL.
Because UHC controller drivers (e.g. uhc max3421e, uhc mcux common) synthesize UHC EVT DEV REMOVED directly from physical bus line state with no debounce or state guard, an attacker with physical USB access (or a rogue device that bounces its connection) can deliver a second device-removed event after a root device disconnect. The handler then re-enters usbh device disconnect() with the dangling pointer, locking a mutex inside the freed object (use-after-free), removing the freed node from the device list, and calling k mem slab free() on the already-freed block (double-free). If the slab block has been reissued to a newly attached device in between, this corrupts a live object.
Impact is denial of service (crash) and memory corruption; the attack vector is physical/local. The flaw was introduced in v4.4.0 by the connect/disconnect refactor and is fixed by clearing ctx->root in usbh device disconnect() before freeing.

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-10663

Affected Products

Zephyr