CVE-2026-10656

Source
https://cve.org/CVERecord?id=CVE-2026-10656
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10656.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-10656
Aliases
  • GHSA-58p9-6mjq-rf2m
Published
2026-07-05T22:23:36.983Z
Modified
2026-07-15T06:01:32.385338Z
Severity
  • 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
NULL-pointer dereference DoS in MAX32 USB device controller transfer-completion handlers
Details

The MAX32xxx USB device controller driver (drivers/usb/udc/udcmax32.c, compatible adimax32usbhs) dereferenced an endpoint buffer in its OUT and IN transfer-completion handlers without checking it for NULL. udceventxferoutdone() called netbufadd(buf, eprequest->actlen) immediately after buf = udcbufget(epcfg), where udcbufget() returns NULL when the endpoint FIFO is empty. A transfer-completion event is queued from interrupt context and processed asynchronously by the driver thread; between queuing and processing, the endpoint FIFO can be drained by host-controlled control flow — in particular udcsetupreceived() drains the EP0 OUT/IN FIFOs whenever a new SETUP packet arrives, and dequeue/disable/purge paths drain it likewise. A USB host that aborts an in-flight EP0 control transfer with a new SETUP packet (legal USB behavior) can therefore cause a stale XFEROUTDONE event to be processed against an empty FIFO, producing netbufadd(NULL, ...), a near-NULL pointer dereference that faults and crashes the device. No authentication is required; the attacker is the USB host the device is connected to (physical bus access). Impact is denial of service (device crash). The defect was introduced when the MAX32 UDC driver was added and shipped in Zephyr v4.4.0. The fix adds NULL-buffer checks that return early with UDCEVT_ERROR/-ENOBUFS in both the OUT-done and IN-done handlers.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10656.json",
    "cwe_ids": [
        "CWE-476"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "4.2.0"
                },
                {
                    "fixed": "4.5.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "zephyr"
}
References

Affected packages

Git / github.com/zephyrproject-rtos/zephyr

Affected ranges

Type
GIT
Repo
https://github.com/zephyrproject-rtos/zephyr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

v1.*
v1.0.0
v1.1.0
v1.1.0-rc1
v1.10.0
v1.10.0-rc1
v1.10.0-rc2
v1.10.0-rc3
v1.11.0
v1.11.0-rc1
v1.11.0-rc2
v1.11.0-rc3
v1.12.0
v1.12.0-rc1
v1.12.0-rc2
v1.12.0-rc3
v1.13.0
v1.13.0-rc1
v1.13.0-rc2
v1.13.0-rc3
v1.14.0
v1.14.0-rc1
v1.14.0-rc2
v1.14.0-rc3
v1.2.0
v1.2.0-rc1
v1.2.0-rc2
v1.3.0
v1.3.0-rc1
v1.3.0-rc2
v1.4.0
v1.4.0-rc1
v1.4.0-rc2
v1.4.0-rc3
v1.5.0
v1.5.0-rc0
v1.5.0-rc1
v1.5.0-rc2
v1.5.0-rc3
v1.5.0-rc4
v1.6.99
v1.7.99
v1.8.99
v1.9.0
v1.9.0-rc1
v1.9.0-rc2
v1.9.0-rc3
v1.9.0-rc4
v2.*
v2.0.0
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.1.0
v2.1.0-rc1
v2.1.0-rc2
v2.1.0-rc3
v2.2.0
v2.2.0-rc1
v2.2.0-rc2
v2.2.0-rc3
v2.3.0
v2.3.0-rc1
v2.3.0-rc2
v2.4.0
v2.4.0-rc1
v2.4.0-rc2
v2.4.0-rc3
v2.5.0
v2.5.0-rc1
v2.5.0-rc2
v2.5.0-rc3
v2.5.0-rc4
v2.6.0
v2.6.0-rc1
v2.6.0-rc2
v2.6.0-rc3
v2.7.0-rc1
v2.7.0-rc2
v2.7.0-rc3
v2.7.99
v3.*
v3.0.0
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-rc3
v3.1.0
v3.1.0-rc1
v3.1.0-rc2
v3.1.0-rc3
v3.2.0
v3.2.0-rc1
v3.2.0-rc2
v3.2.0-rc3
v3.3.0
v3.3.0-rc1
v3.3.0-rc2
v3.3.0-rc3
v3.4.0
v3.4.0-rc1
v3.4.0-rc2
v3.4.0-rc3
v3.5.0
v3.5.0-rc1
v3.5.0-rc2
v3.5.0-rc3
v3.6.0
v3.6.0-rc1
v3.6.0-rc2
v3.6.0-rc3
v3.7.0
v3.7.0-rc1
v3.7.0-rc2
v3.7.0-rc3
v4.*
v4.0.0
v4.0.0-rc1
v4.0.0-rc2
v4.0.0-rc3
v4.1.0
v4.1.0-rc1
v4.1.0-rc2
v4.1.0-rc3
v4.2.0
v4.2.0-rc1
v4.2.0-rc2
v4.2.0-rc3
v4.3.0
v4.3.0-rc1
v4.3.0-rc2
v4.3.0-rc3
v4.4.0
v4.4.0-rc1
v4.4.0-rc2
v4.4.0-rc3
zephyr-v1.*
zephyr-v1.0.0
zephyr-v1.1.0
zephyr-v1.10.0
zephyr-v1.11.0
zephyr-v1.12.0
zephyr-v1.13.0
zephyr-v1.14.0
zephyr-v1.2.0
zephyr-v1.3.0
zephyr-v1.4.0
zephyr-v1.5.0
zephyr-v1.9.0
zephyr-v2.*
zephyr-v2.0.0
zephyr-v2.1.0
zephyr-v2.2.0
zephyr-v2.3.0
zephyr-v2.4.0
zephyr-v2.5.0
zephyr-v2.6.0
zephyr-v3.*
zephyr-v3.0.0
zephyr-v3.1.0
zephyr-v3.2.0
zephyr-v3.3.0
zephyr-v3.4.0
zephyr-v3.5.0

Database specific

vanir_signatures
[
    {
        "source": "https://github.com/zephyrproject-rtos/zephyr/commit/a0d8f786559355fb3b38e34799e1ae491ba9545c",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "24317084411018472080162150716770592365",
            "length": 571.0
        },
        "id": "CVE-2026-10656-1bc967ae",
        "signature_type": "Function",
        "target": {
            "function": "udc_event_xfer_in_done",
            "file": "drivers/usb/udc/udc_max32.c"
        }
    },
    {
        "source": "https://github.com/zephyrproject-rtos/zephyr/commit/a0d8f786559355fb3b38e34799e1ae491ba9545c",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "33350230760163245801192208253704166255",
                "291282495125010096487104515251827177816",
                "94495744320510663459695410120200367806",
                "89478244151557402979442759503710134747",
                "159171471706898404792707285142349563018",
                "206675346456870726910808346582554446437",
                "261701097392006047813749870951672822256",
                "26367737622512162512760073872298022903",
                "250858307220393455607417055982569864488",
                "238432323946334381568107479029110152410",
                "807469234239318664541602960151672372",
                "94495744320510663459695410120200367806",
                "89478244151557402979442759503710134747",
                "141447520046203120886969398498985420335",
                "261701097392006047813749870951672822256",
                "26367737622512162512760073872298022903",
                "250858307220393455607417055982569864488",
                "316817129569507216844495800135432679806",
                "201551607042475324479810970454284992103",
                "232416639143580162633532188322016820526",
                "69833050328130826869190257150567538336",
                "316817129569507216844495800135432679806",
                "84096003844482850427461570578171110554",
                "318459083092930454393493356285168054652",
                "292753752850339287885155118663277213156",
                "243554072458507894632555472541435536751",
                "64725970068066904970740136516953020224",
                "213480323486753105773480485330789706337",
                "59993601095810781286983500895544530202",
                "211240948541856031812845547192910577166",
                "14781562782749956426482422113145035125",
                "84531328882227032355030878871182313621",
                "33720229487319116367000554894824371872",
                "220528337155707530243425116815591093773",
                "24371891616884506470022759378580776761",
                "220045180108584913732310838116065842652",
                "165547782923646534504818672804711992975",
                "336276867223649340023843985834085275681",
                "23413702134951655775539875202842545046",
                "88725360721503728503838152564448746492",
                "133752334999657762012855778420140859684",
                "116068967273537606885528677030030251468",
                "76495120377329605444187873160016341542",
                "107001042396166058316757663877195262275",
                "288288988326731018638956831429614748731"
            ]
        },
        "id": "CVE-2026-10656-3fcffec0",
        "signature_type": "Line",
        "target": {
            "file": "drivers/usb/udc/udc_max32.c"
        }
    },
    {
        "source": "https://github.com/zephyrproject-rtos/zephyr/commit/a0d8f786559355fb3b38e34799e1ae491ba9545c",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "83324112252321513083188240845935599919",
            "length": 1045.0
        },
        "id": "CVE-2026-10656-47d9698f",
        "signature_type": "Function",
        "target": {
            "function": "udc_max32_event_callback",
            "file": "drivers/usb/udc/udc_max32.c"
        }
    },
    {
        "source": "https://github.com/zephyrproject-rtos/zephyr/commit/a0d8f786559355fb3b38e34799e1ae491ba9545c",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "244749874046167321079227182312702861965",
            "length": 560.0
        },
        "id": "CVE-2026-10656-524fc22a",
        "signature_type": "Function",
        "target": {
            "function": "udc_event_xfer_out_done",
            "file": "drivers/usb/udc/udc_max32.c"
        }
    },
    {
        "source": "https://github.com/zephyrproject-rtos/zephyr/commit/a0d8f786559355fb3b38e34799e1ae491ba9545c",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "277921088150697326740157021554348411152",
            "length": 1119.0
        },
        "id": "CVE-2026-10656-909f4100",
        "signature_type": "Function",
        "target": {
            "function": "udc_event_xfer_out",
            "file": "drivers/usb/udc/udc_max32.c"
        }
    },
    {
        "source": "https://github.com/zephyrproject-rtos/zephyr/commit/a0d8f786559355fb3b38e34799e1ae491ba9545c",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "298463293461007306312520533756877934295",
            "length": 975.0
        },
        "id": "CVE-2026-10656-9ef7362d",
        "signature_type": "Function",
        "target": {
            "function": "udc_event_xfer_in",
            "file": "drivers/usb/udc/udc_max32.c"
        }
    }
]
vanir_signatures_modified
"2026-07-15T06:01:32Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10656.json"