USB CDC-NCM Device Class Vulnerability in Zephyr OS
CVE-2026-10647

5.3MEDIUM

Key Information:

Vendor: Zephyrproject
Status: Zephyr
Vendor: CVE Published:; 29 June 2026

🔔 Create Zephyrproject Vulnerability Alert

What is CVE-2026-10647?

The USB CDC-NCM device class in Zephyr OS has a critical flaw where it incorrectly handles the return value of the usbd_ep_enqueue() function during the ethernet transmit process. This oversight can lead to a deadlock situation. Specifically, if bus suspension occurs while the network interface is active, the system can experience a failure in enqueuing packets, causing the network communication to halt and requiring a reboot to resolve. The issue arises under common conditions such as USB selective suspend or hub power management. The deadlocked thread can disrupt egress on other interfaces as well. The vulnerability was introduced in the CDC-NCM driver and impacts versions up to v4.4.0. A fix is available that checks the enqueue return value and properly handles the buffer before waiting on the semaphore.

Affected Version(s)

zephyr 4.1.0 < 4.5.0

References

https://github.com/zephyrproject-rtos/zephyr/commit/255bc...

patch

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-10647 Data

JSON