CVE-2026-10663 in zephyrinfo

Summary

by MITRE • 07/12/2026

In Zephyr's experimental USB host stack (CONFIG_USB_HOST_STACK), usbh_device_disconnect() (subsys/usb/host/usbh_device.c) freed the root usb_device slab object without clearing the cached pointer ctx->root. The bus removal handler dev_removed_handler() (subsys/usb/host/usbh_core.c) decides what to tear down solely from ctx->root, checking only that it is non-NULL.

Because UHC controller drivers (e.g. uhc_max3421e, uhc_mcux_common) synthesize UHC_EVT_DEV_REMOVED directly from physical bus line state with no debounce or state guard, an attacker with physical USB access (or a rogue device that bounces its connection) can deliver a second device-removed event after a root device disconnect. The handler then re-enters usbh_device_disconnect() with the dangling pointer, locking a mutex inside the freed object (use-after-free), removing the freed node from the device list, and calling k_mem_slab_free() on the already-freed block (double-free). If the slab block has been reissued to a newly attached device in between, this corrupts a live object.

Impact is denial of service (crash) and memory corruption; the attack vector is physical/local. The flaw was introduced in v4.4.0 by the connect/disconnect refactor and is fixed by clearing ctx->root in usbh_device_disconnect() before freeing.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/12/2026

The vulnerability exists within Zephyr's experimental USB host stack implementation where a use-after-free condition can be triggered through improper handling of device disconnection events. This flaw specifically affects the usbh_device_disconnect() function located in subsys/usb/host/usbh_device.c which frees the root usb_device slab object without clearing the cached pointer ctx->root. The core issue stems from the fact that the bus removal handler dev_removed_handler() in subsys/usb/host/usbh_core.c makes its teardown decisions based solely on the non-NULL state of ctx->root, creating a dangerous race condition scenario.

The operational impact becomes significant when considering that UHC controller drivers such as uhc_max3421e and uhc_mcux_common generate UHC_EVT_DEV_REMOVED events directly from physical bus line states without implementing debounce mechanisms or state guards. This design vulnerability creates an attack surface where an adversary with physical USB access or a malicious device capable of connection bouncing can deliver a second device-removed event after the initial root device disconnect has occurred. When this happens, the handler re-enters usbh_device_disconnect() with a dangling pointer reference, leading to multiple problematic scenarios including mutex locking on freed memory structures, removal of freed nodes from device lists, and subsequent k_mem_slab_free() calls on already-released memory blocks.

This particular vulnerability maps directly to CWE-416 Use After Free and CWE-129 Improper Validation of Array Index, with potential ATT&CK mappings to T1059 Command and Scripting Interpreter and T1490 Inhibit System Recovery through the denial of service impact. The flaw was introduced in version 4.4.0 during a connect/disconnect refactor operation and manifests as a double-free condition when the freed slab block has been reallocated to a newly attached device, resulting in corruption of live objects. The attack vector is classified as physical or local access since it requires direct USB connection manipulation or the presence of a rogue device capable of generating spurious connection events.

The mitigation strategy involves clearing the ctx->root pointer within usbh_device_disconnect() before the actual freeing operation occurs, ensuring that subsequent calls to dev_removed_handler() with stale references cannot trigger the dangerous code paths. This simple but critical fix prevents the use-after-free scenario and resolves both the crash conditions and memory corruption risks associated with this vulnerability. The remediation addresses the fundamental root cause by eliminating the dangling pointer reference that enables the exploitation path while maintaining the integrity of the USB host stack's device management functionality.

Responsible

Zephyr

Reservation

06/02/2026

Disclosure

07/12/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

medium

Sources

Interested in the pricing of exploits?

See the underground prices here!