mediumCVE-2026-10656

CVE-2026-10656 zephyr vulnerability

The MAX32xxx USB device controller driver (drivers/usb/udc/udc_max32.c, compatible adi_max32_usbhs) dereferenced an endpoint buffer in its OUT and IN transfer-completion handlers without checking it for NULL. udc_event_xfer_out_done() called net_buf_add(buf, ep_request->actlen) immediately after buf = udc_buf_get(ep_cfg), where udc_buf_get() returns NULL when the endpoint FIFO is empty. A transfer-completion event is queued from interrupt context and processed asynchronously by the driver thread; between queuing and processing, the endpoint FIFO can be drained by host-controlled control flow — in particular udc_setup_received() drains the EP0 OUT/IN FIFOs whenever a new SETUP packet arrives, and dequeue/disable/purge paths drain it likewise. A USB host that aborts an in-flight EP0 control transfer with a new SETUP packet (legal USB behavior) can therefore cause a stale XFER_OUT_DONE event to be processed against an empty FIFO, producing net_buf_add(NULL, ...), a near-NULL pointer dereference that faults and crashes the device. No authentication is required; the attacker is the USB host the device is connected to (physical bus access). Impact is denial of service (device crash). The defect was introduced when the MAX32 UDC driver was added and shipped in Zephyr v4.4.0. The fix adds NULL-buffer checks that return early with UDC_EVT_ERROR/-ENOBUFS in both the OUT-done and IN-done handlers.

Productzephyr
CVSS4.6
EPSSNot scored yet
UpdatedJuly 13, 2026

Quick answer

zephyrproject zephyr should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Review vendor advisory for affected versions.

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

CVE-2026-10656 affects Zephyr Zephyr. Update the Zephyr tree to a Zephyr tree containing patch a0d8f7865593 or a later fixed release, rebuild affected firmware, and review exposed DNS, network, or USB device paths depending on the impacted driver. Affected ranges in the local record are 4.2.0 through 4.4.0.

  1. Inventory Zephyr-based firmware, boards, west manifests, module revisions, and products that include the affected DNS resolver, USB controller driver, or network stack path.
  2. Compare the pinned Zephyr revision with the advisory and identify devices built from vulnerable releases through 4.4.0.
  3. Update the Zephyr source tree to a Zephyr tree containing patch a0d8f7865593 or a later fixed release, or cherry-pick the referenced patch into the maintained product branch.
  4. Rebuild firmware images and regenerate SBOM or release metadata so the patched Zephyr commit is traceable for every device build.
  5. Disable or gate the affected DNS/USB feature where it is not required, especially on devices exposed to untrusted host or network input.
  6. Run hardware-in-the-loop or emulator regression tests for DNS resolution, USB transfer completion, networking, boot, and memory safety behavior.
  7. Plan firmware rollout and rollback for deployed devices, including staged release monitoring for crashes, watchdog resets, and malformed input attempts.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm each firmware build references a Zephyr tree containing patch a0d8f7865593 or a later fixed release or a later patched Zephyr revision.
  • Run negative tests for malformed hostnames, DNS suffixes, USB transfer timing, and endpoint queue states relevant to CVE-2026-10656.
  • Verify patched devices do not read past buffers, dereference NULL buffers, reset unexpectedly, or expose stale memory under test input.
  • Open the generated Fixnx page and confirm the canonical URL ends with zephyr-cve-2026-10656.
  • Re-run sitemap validation and confirm zephyr-cve-2026-10656 appears once in sitemap.xml with the full CVE-2026-10656 suffix.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-10656?

zephyrproject zephyr should be checked against the vendor advisory and trusted references linked on this page.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.