CVE-2026-10656
Received Received - Intake

NULL Pointer Dereference in MAX32xxx USB Device Controller Driver

Vulnerability report for CVE-2026-10656, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: Zephyr Project

Description

The MAX32xxx USB device controller driver (drivers/usb/udc/udc_max32.c, compatible adi_max32_usbhs) dereferenced an endpoint buffer in its OUT and IN transfer-completion handlers without checking it for NULL. udc_event_xfer_out_done() called net_buf_add(buf, ep_request->actlen) immediately after buf = udc_buf_get(ep_cfg), where udc_buf_get() returns NULL when the endpoint FIFO is empty. A transfer-completion event is queued from interrupt context and processed asynchronously by the driver thread; between queuing and processing, the endpoint FIFO can be drained by host-controlled control flow β€” in particular udc_setup_received() drains the EP0 OUT/IN FIFOs whenever a new SETUP packet arrives, and dequeue/disable/purge paths drain it likewise. A USB host that aborts an in-flight EP0 control transfer with a new SETUP packet (legal USB behavior) can therefore cause a stale XFER_OUT_DONE event to be processed against an empty FIFO, producing net_buf_add(NULL, ...), a near-NULL pointer dereference that faults and crashes the device. No authentication is required; the attacker is the USB host the device is connected to (physical bus access). Impact is denial of service (device crash). The defect was introduced when the MAX32 UDC driver was added and shipped in Zephyr v4.4.0. The fix adds NULL-buffer checks that return early with UDC_EVT_ERROR/-ENOBUFS in both the OUT-done and IN-done handlers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr From 4.4.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the MAX32xxx USB device controller driver used in Zephyr. The driver dereferences an endpoint buffer pointer without checking if it is NULL during USB transfer completion handlers. Specifically, when the endpoint FIFO is empty, the buffer pointer can be NULL, but the driver still attempts to use it, causing a near-NULL pointer dereference.

This happens because a USB host can abort an ongoing control transfer by sending a new SETUP packet, which drains the endpoint FIFO. When the driver later processes a stale transfer completion event referencing the now-empty FIFO, it tries to add data to a NULL buffer, causing a fault and crashing the device.

No authentication is required to exploit this; the attacker only needs to be the USB host connected to the device.

Impact Analysis

The primary impact of this vulnerability is denial of service (DoS). An attacker acting as the USB host can cause the device to crash by exploiting the NULL pointer dereference in the USB device controller driver.

This crash can disrupt normal device operation, potentially requiring a manual reset or power cycle to recover.

Mitigation Strategies

The vulnerability is caused by the MAX32xxx USB device controller driver dereferencing a NULL pointer, leading to device crashes when a USB host aborts an in-flight EP0 control transfer with a new SETUP packet.

Immediate mitigation involves updating the affected Zephyr project to a version that includes the fix, which adds NULL-buffer checks in the OUT-done and IN-done handlers to prevent the NULL pointer dereference and device crash.

Since the vulnerability requires physical USB bus access by the attacker, limiting physical access to the device and avoiding untrusted USB hosts can also reduce risk until the fix is applied.

Compliance Impact

This vulnerability causes a denial of service (device crash) due to a NULL pointer dereference in the MAX32xxx USB device controller driver. It does not involve unauthorized access, data leakage, or modification of data.

Since the impact is limited to device availability and does not affect confidentiality or integrity of data, it does not directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and security.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10656. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart