CVE-2026-10668
Received Received - Intake

USB Control Endpoint Denial of Service in Nuvoton NuMaker HSUSBD

Vulnerability report for CVE-2026-10668, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: Zephyr Project

Description

The Nuvoton NuMaker HSUSBD USB device-controller driver (drivers/usb/udc/udc_numaker.c) armed the control Data IN stage unconditionally (base->CEPTXCNT = len in numaker_hsusbd_ep_trigger). Because the HSUSBD hardware cannot disarm a control Data IN already armed for a previous transfer, a USB host that cancels an in-flight control transfer (timeout) and then issues a new SETUP packet can drive the driver out of sync: stale data may be transmitted in the new transfer and the control endpoint can become permanently stuck NAK'ing every subsequent control transfer. A malicious or buggy host (physical/adjacent attacker driving the bus) can repeatedly cancel-and-re-SETUP to wedge the device's USB control endpoint, denying service to the device's USB function (the device stops enumerating/responding on the control pipe) until a USB reset or re-plug. The flaw is an availability-only denial of service; the FIFO copy loops (bounded by net_buf length and the hardware BUFFULL flag) and the net_buf lifecycle are independent of the arming desync, so there is no out-of-bounds access, use-after-free, or information leak. The fix monitors the IN-token and new-SETUP events (k_event) and only arms control Data IN when an IN token is present and no new SETUP has arrived, cancelling the current transfer on a new SETUP. Affects boards using the Nuvoton NuMaker HSUSBD controller (CONFIG_UDC_NUMAKER with DT_HAS_NUVOTON_NUMAKER_HSUSBD_ENABLED); shipped in v4.4.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
nuvoton numaker_hsusbd to 4.4.0 (inc)
zephyrproject zephyr to 4.4.0 (inc)
nuvoton numaker_hsusbd From 4.4.0 (inc) to 4.5.0 (exc)
zephyrproject zephyr From 4.4.0 (inc) to 4.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-10668 vulnerability affects the Nuvoton NuMaker HSUSBD USB device-controller driver in the Zephyr RTOS. The issue arises because the driver unconditionally arms the control Data IN stage, which the hardware cannot disarm if a previous transfer is still armed. When a USB host cancels an ongoing control transfer and sends a new SETUP packet, this causes the driver to become desynchronized. As a result, stale data may be sent in the new transfer, and the control endpoint can become permanently stuck in a NAK state, preventing further control transfers.

This desynchronization effectively denies service to the device's USB function until a USB reset or re-plug occurs. The flaw is an availability-only denial-of-service issue and does not cause memory safety problems such as out-of-bounds access or information leaks.

The fix involves monitoring IN-token and new SETUP events to ensure the control Data IN stage is only armed when an IN token is present and no new SETUP has arrived, canceling the current transfer if a new SETUP is detected.

Impact Analysis

This vulnerability can cause a denial of service on devices using the affected USB controller driver. A malicious or buggy USB host can repeatedly cancel and resend SETUP packets, causing the device's USB control endpoint to become stuck in a NAK state.

As a result, the device will stop enumerating or responding on the control pipe, effectively disabling its USB functionality until the device is reset or unplugged and plugged back in.

The impact is limited to availability, with no effect on confidentiality or integrity, and exploitation requires physical or adjacent access to the USB bus.

Detection Guidance

This vulnerability causes the USB control endpoint on affected devices to become permanently stuck in a NAK state after a host cancels an in-flight control transfer and issues a new SETUP packet. Detection can be based on observing that the device stops enumerating or responding on the USB control pipe.

Since the issue is related to USB control transfers being stuck and denial of service on the USB function, monitoring USB device enumeration failures or repeated NAK responses on control endpoints can indicate the presence of this vulnerability.

Specific commands to detect this condition are not provided in the available resources. However, USB traffic analysis tools (e.g., usbmon on Linux or Wireshark with USB capture) can be used to monitor control transfer cancellations and repeated SETUP packets followed by NAK responses.

Mitigation Strategies

Immediate mitigation involves applying the fix introduced in Zephyr RTOS versions after 4.4.0 and before 4.5.0, which monitors IN-token and new SETUP events to ensure control Data IN is only armed when appropriate, cancelling current transfers on new SETUP packets.

If updating the Zephyr RTOS or the Nuvoton NuMaker HSUSBD driver is not immediately possible, a temporary mitigation is to reset or re-plug the USB device to recover from the stuck NAK state caused by the vulnerability.

Additionally, restricting physical or adjacent attacker access to the USB bus can reduce the risk, as exploitation requires a malicious or buggy host physically connected to the USB bus.

Compliance Impact

This vulnerability is an availability-only denial-of-service (DoS) issue that affects the USB control endpoint of devices using the Nuvoton NuMaker HSUSBD controller. It does not impact confidentiality or integrity, and there are no memory safety violations or information leaks involved.

Because the flaw only causes denial of service and does not expose or compromise sensitive data, it has limited direct impact on compliance with data protection standards and regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal or protected health information.

However, the denial of service could affect availability requirements under some regulations if the affected device is critical for maintaining compliant operations or services.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10668. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart