PT-2026-57565 · Zephyrproject · Zephyr
Published
2026-07-12
·
Updated
2026-07-12
·
CVE-2026-10663
CVSS v3.1
6.1
Medium
| Vector | AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
In Zephyr's experimental USB host stack (CONFIG USB HOST STACK), usbh device disconnect() (subsys/usb/host/usbh device.c) freed the root usb device slab object without clearing the cached pointer ctx->root. The bus removal handler dev removed handler() (subsys/usb/host/usbh core.c) decides what to tear down solely from ctx->root, checking only that it is non-NULL.
Because UHC controller drivers (e.g. uhc max3421e, uhc mcux common) synthesize UHC EVT DEV REMOVED directly from physical bus line state with no debounce or state guard, an attacker with physical USB access (or a rogue device that bounces its connection) can deliver a second device-removed event after a root device disconnect. The handler then re-enters usbh device disconnect() with the dangling pointer, locking a mutex inside the freed object (use-after-free), removing the freed node from the device list, and calling k mem slab free() on the already-freed block (double-free). If the slab block has been reissued to a newly attached device in between, this corrupts a live object.
Impact is denial of service (crash) and memory corruption; the attack vector is physical/local. The flaw was introduced in v4.4.0 by the connect/disconnect refactor and is fixed by clearing ctx->root in usbh device disconnect() before freeing.
Fix
Use After Free
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zephyr