USB Device Controller Driver Vulnerability in MAX32xxx by Zephyr Project
CVE-2026-10656
4.6MEDIUM
What is CVE-2026-10656?
The MAX32xxx USB device controller driver contains a vulnerability that arises from improper handling of endpoint buffers in its transfer-completion handlers. Specifically, the driver can encounter a NULL pointer dereference when processing a transfer-completion event while the endpoint FIFO is empty. This scenario occurs when a USB host sends a new SETUP packet during an in-flight EP0 control transfer, resulting in a device crash. The issue was introduced in Zephyr version 4.4.0, and the remediation involves implementing NULL checks within the drivers' OUT and IN handlers to prevent such dereferences, returning early with an appropriate error signal.
Affected Version(s)
zephyr 4.2.0 < 4.5.0
