CVE-2026-10663
Received Received - Intake

USB Use-After-Free in Zephyr RTOS USB Host Stack

Vulnerability report for CVE-2026-10663, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: Zephyr Project

Description

In Zephyr's experimental USB host stack (CONFIG_USB_HOST_STACK), usbh_device_disconnect() (subsys/usb/host/usbh_device.c) freed the root usb_device slab object without clearing the cached pointer ctx->root. The bus removal handler dev_removed_handler() (subsys/usb/host/usbh_core.c) decides what to tear down solely from ctx->root, checking only that it is non-NULL. Because UHC controller drivers (e.g. uhc_max3421e, uhc_mcux_common) synthesize UHC_EVT_DEV_REMOVED directly from physical bus line state with no debounce or state guard, an attacker with physical USB access (or a rogue device that bounces its connection) can deliver a second device-removed event after a root device disconnect. The handler then re-enters usbh_device_disconnect() with the dangling pointer, locking a mutex inside the freed object (use-after-free), removing the freed node from the device list, and calling k_mem_slab_free() on the already-freed block (double-free). If the slab block has been reissued to a newly attached device in between, this corrupts a live object. Impact is denial of service (crash) and memory corruption; the attack vector is physical/local. The flaw was introduced in v4.4.0 by the connect/disconnect refactor and is fixed by clearing ctx->root in usbh_device_disconnect() before freeing.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
zephyrproject zephyr From 4.4.0 (inc) to 4.4.9 (inc)
zephyrproject zephyr 4.5.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-10663 is a use-after-free and double-free vulnerability in Zephyr RTOS's experimental USB host stack (CONFIG_USB_HOST_STACK). The issue arises because the function usbh_device_disconnect() frees the root USB device slab object without clearing the cached pointer ctx->root. The bus removal handler dev_removed_handler() relies solely on ctx->root to decide what to tear down, checking only if it is non-NULL.

UHC controller drivers generate device-removed events directly from physical bus line states without debouncing, so an attacker with physical USB access or a malicious device can trigger a second device-removed event after a root device disconnect. This causes the handler to re-enter usbh_device_disconnect() with a dangling pointer, leading to use-after-free when locking a mutex inside the freed object, removing the freed node from the device list, and calling k_mem_slab_free() on an already-freed block (double-free). If the slab block has been reissued to a new device in between, this corrupts a live object.

Impact Analysis

This vulnerability can lead to denial of service by causing system crashes and memory corruption. An attacker with physical or local access to the USB bus can exploit this flaw to destabilize the system by triggering repeated device removal events, which corrupt internal USB host stack data structures.

Detection Guidance

This vulnerability involves a use-after-free and double-free condition in the Zephyr RTOS USB host stack triggered by physical USB device removal events. Detection would require monitoring for abnormal USB device disconnect events or system crashes related to USB host stack operations.

Since the vulnerability is triggered by physical USB device removal events causing use-after-free and double-free errors, detection could involve observing kernel logs or system crash reports for errors related to USB host device disconnect handling.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The vulnerability is fixed by clearing the cached pointer ctx->root in the usbh_device_disconnect() function before freeing the root USB device slab object.

Immediate mitigation steps include updating Zephyr RTOS to version 4.5.0 or later, where the fix is included.

Additionally, limiting physical USB access to trusted devices can reduce the risk of exploitation, as the attack requires physical or local access.

Compliance Impact

The vulnerability in Zephyr's USB host stack leads to denial of service (crash) and memory corruption through use-after-free and double-free conditions triggered by physical or local USB device manipulation.

There is no information provided in the available context or resources about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10663. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart