CVE-2026-10647

Received Received - Intake

USB CDC-NCM Driver Deadlock on Enqueue Failure

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: Zephyr Project

Description

The USB CDC-NCM device class (subsys/usb/device_next/class/usbd_cdc_ncm.c) ignores the return value of usbd_ep_enqueue() in its ethernet transmit callback cdc_ncm_send(). When the enqueue fails, the function still calls k_sem_take(&data-sync_sem, K_FOREVER), blocking on a completion semaphore that is only ever signaled from the bulk-IN transfer-completion callback. Because nothing was enqueued, that callback never fires and the calling thread — a shared network traffic-class TX thread — deadlocks permanently while holding the interface TX lock, halting transmission until reboot (and leaking the transmit buffer). The enqueue fails under conditions controlled by the attached USB host: usbd_ep_enqueue() returns -EPERM whenever the bus is suspended (a standard, persistent host operation), and the underlying udc_ep_enqueue() returns -EPERM/-ENODEV on disconnect, bus reset, or endpoint disable. The cdc_ncm_send() guard only checks the DATA_IFACE_ENABLED and IFACE_UP flags, not the suspended state, so a packet transmitted while the host holds the bus suspended reaches the failing enqueue and deadlocks the TX path. The realistic trigger is a bus suspend that occurs while the exported network interface is active and has traffic to send — host sleep, USB selective/auto-suspend, or hub power management — after which any device-originated packet deadlocks the path, recoverable only by reboot. The impact is a persistent loss of the virtual network connection between the host's NCM interface and the Zephyr device; because the deadlocked thread is a shared traffic-class TX thread, egress on other network interfaces can stall as well. There is no memory corruption or information disclosure. The defect was introduced with the CDC-NCM driver and shipped in releases through v4.4.0; it is fixed by checking the usbd_ep_enqueue() return value and freeing the buffer before the blocking wait.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-29

Last Modified

2026-06-29

Generated

2026-06-30

AI Q&A

2026-06-30

EPSS Evaluated

N/A

NVD

CVE-2026-10647

Affected Vendors & Products

Vendor	Product	Version / Range
zephyrproject	cdc_ncm	to 4.4.0 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-833	The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

Attack-Flow Graph

Executive Summary

This vulnerability exists in the USB CDC-NCM device class driver used in Zephyr OS. The driver ignores the return value of a function called usbd_ep_enqueue() during the ethernet transmit process. When this enqueue operation fails, the driver still waits indefinitely on a semaphore that is only signaled when the enqueue succeeds. Because the enqueue failed, the semaphore is never signaled, causing the transmit thread to deadlock permanently while holding a lock. This deadlock halts all network transmission until the device is rebooted.

The enqueue failure can be triggered by the USB host suspending the bus or disconnecting/resetting the device. The driver does not properly check for the suspended state, so if a packet is sent while the bus is suspended, the deadlock occurs. This results in a persistent loss of the virtual network connection between the host and the device.

Impact Analysis

The main impact of this vulnerability is a permanent deadlock in the network transmit path of the affected device, causing a complete halt of network transmission until the device is rebooted.

Loss of virtual network connectivity between the host's NCM interface and the Zephyr device.
Potential stalling of egress traffic on other network interfaces sharing the same transmit thread.
The device requires a reboot to recover from the deadlock condition.

There is no memory corruption or information disclosure associated with this vulnerability.

Detection Guidance

This vulnerability causes a deadlock in the USB CDC-NCM device class when the USB bus is suspended and a packet is transmitted, resulting in a permanent halt of transmission until reboot.

Detection can be based on observing a persistent loss of the virtual network connection between the host's NCM interface and the Zephyr device, or a stall in egress traffic on other network interfaces sharing the traffic-class TX thread.

Since the issue is related to USB bus suspend states and deadlocked transmit threads, monitoring USB device states and network interface transmission status may help detect the problem.

However, no specific commands or detection tools are provided in the available information.

Mitigation Strategies

The vulnerability is fixed by checking the return value of usbd_ep_enqueue() and freeing the buffer before blocking on the semaphore.

Immediate mitigation steps include avoiding USB bus suspend states while the network interface is active and has traffic to send, such as disabling host sleep, USB selective/auto-suspend, or hub power management features that cause bus suspend.

If the device is already affected, the only recovery is to reboot the device to clear the deadlock.

Applying the fixed version of the CDC-NCM driver (post v4.4.0) that includes the return value check is the definitive mitigation.

Compliance Impact

This vulnerability causes a persistent loss of the virtual network connection and stalls network transmission until a reboot occurs. However, it does not involve memory corruption or information disclosure.

Since there is no information disclosure or data breach associated with this vulnerability, it does not directly impact compliance with data protection standards and regulations such as GDPR or HIPAA.

The main impact is availability, as network transmission can be halted, which could affect systems relying on continuous network connectivity.

Hi! I’m here to help you understand CVE-2026-10647. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70