CVE-2026-10656info

Summary

by MITRE • 07/06/2026

The MAX32xxx USB device controller driver (drivers/usb/udc/udc_max32.c, compatible adi_max32_usbhs) dereferenced an endpoint buffer in its OUT and IN transfer-completion handlers without checking it for NULL. udc_event_xfer_out_done() called net_buf_add(buf, ep_request->actlen) immediately after buf = udc_buf_get(ep_cfg), where udc_buf_get() returns NULL when the endpoint FIFO is empty. A transfer-completion event is queued from interrupt context and processed asynchronously by the driver thread; between queuing and processing, the endpoint FIFO can be drained by host-controlled control flow — in particular udc_setup_received() drains the EP0 OUT/IN FIFOs whenever a new SETUP packet arrives, and dequeue/disable/purge paths drain it likewise. A USB host that aborts an in-flight EP0 control transfer with a new SETUP packet (legal USB behavior) can therefore cause a stale XFER_OUT_DONE event to be processed against an empty FIFO, producing net_buf_add(NULL, ...), a near-NULL pointer dereference that faults and crashes the device. No authentication is required; the attacker is the USB host the device is connected to (physical bus access). Impact is denial of service (device crash). The defect was introduced when the MAX32 UDC driver was added and shipped in Zephyr v4.4.0. The fix adds NULL-buffer checks that return early with UDC_EVT_ERROR/-ENOBUFS in both the OUT-done and IN-done handlers.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/06/2026

The vulnerability exists within the MAX32xxx USB device controller driver implementation in the Zephyr operating system, specifically affecting the udc_max32.c file which implements the adi_max32_usbhs compatible driver. This flaw represents a classic null pointer dereference issue that occurs during USB transfer completion handling, where the driver fails to validate endpoint buffer pointers before attempting operations on them. The vulnerability is particularly concerning as it affects the core USB device controller functionality and can be exploited through legitimate USB host behavior without requiring any authentication or privileged access.

The technical root cause stems from improper buffer validation in the OUT transfer-completion handler function udc_event_xfer_out_done() which directly calls net_buf_add(buf, ep_request->actlen) immediately after buf = udc_buf_get(ep_cfg). The udc_buf_get() function returns NULL when the endpoint FIFO is empty, creating a scenario where subsequent operations attempt to dereference this null pointer. This flaw is exacerbated by the asynchronous nature of USB event processing, where transfer-completion events are queued from interrupt context and processed later by the driver thread. During this time window between queuing and processing, normal USB host control flow can drain the endpoint FIFO through various mechanisms including udc_setup_received() function which clears EP0 OUT/IN FIFOs upon receiving new SETUP packets, as well as dequeue/disable/purge operations that also empty FIFO buffers.

The operational impact of this vulnerability manifests as a device crash or denial of service condition when a USB host performs a legitimate action such as aborting an in-flight EP0 control transfer with a new SETUP packet. This behavior is fully compliant with USB specifications and represents normal host operation rather than malicious activity. The vulnerability creates a race condition where stale XFER_OUT_DONE events are processed against empty FIFOs, resulting in net_buf_add(NULL, ...) operations that cause immediate null pointer dereference faults. This type of vulnerability aligns with CWE-476 which describes NULL Pointer Dereference and demonstrates how improper input validation can lead to system crashes. The attack vector requires only physical access to the USB bus since any connected host can trigger this condition through standard USB control flow mechanisms.

The fix implemented addresses this issue by adding comprehensive NULL buffer checks in both OUT-done and IN-done transfer completion handlers, returning early with UDC_EVT_ERROR or -ENOBUFS error codes when null buffers are detected. This defensive programming approach prevents the null pointer dereference while maintaining proper error handling semantics for the USB device controller driver. The vulnerability was introduced with the initial implementation of the MAX32 UDC driver in Zephyr v4.4.0 and affects all subsequent versions until the patch is applied. This type of flaw demonstrates the importance of validating all buffer pointers in interrupt contexts and handling asynchronous processing scenarios properly, particularly in embedded systems where USB controllers are frequently used for device communication. The solution follows established best practices for preventing null pointer dereferences in kernel-level drivers and aligns with ATT&CK techniques related to system crash exploitation through improper input validation in device drivers.

Disclosure

07/06/2026

Moderation

in review

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!