Denial of Service Vulnerability in Zephyr's USB Host Stack
CVE-2026-10663
6.1MEDIUM
What is CVE-2026-10663?
A critical flaw in Zephyr's USB host stack allows attackers with physical access to exploit use-after-free and double-free vulnerabilities. When a device is disconnected, the handler re-enters the disconnection process while holding a pointer to a freed object, leading to memory corruption and potential denial of service. This vulnerability, introduced in version 4.4.0, opens the door to device crashes and instability, emphasizing the need for careful security measures in the management of USB devices.
Affected Version(s)
zephyr 4.4.0 < 4.5.0
