USB Device Controller Driver Vulnerability in MAX32xxx by Zephyr Project
CVE-2026-10656

4.6MEDIUM

Key Information:

Status
Vendor
CVE Published:
5 July 2026

What is CVE-2026-10656?

The MAX32xxx USB device controller driver contains a vulnerability that arises from improper handling of endpoint buffers in its transfer-completion handlers. Specifically, the driver can encounter a NULL pointer dereference when processing a transfer-completion event while the endpoint FIFO is empty. This scenario occurs when a USB host sends a new SETUP packet during an in-flight EP0 control transfer, resulting in a device crash. The issue was introduced in Zephyr version 4.4.0, and the remediation involves implementing NULL checks within the drivers' OUT and IN handlers to prevent such dereferences, returning early with an appropriate error signal.

Affected Version(s)

zephyr 4.2.0 < 4.5.0

References

CVSS V3.1

Score:
4.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.