PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10668 Nuvoton CVE debrief

The Nuvoton NuMaker HSUSBD USB device-controller driver has a vulnerability that allows a malicious or buggy host to repeatedly cancel-and-re-SETUP to wedge the device's USB control endpoint, denying service to the device's USB function. The flaw is an availability-only denial of service, with no out-of-bounds access, use-after-free, or information leak. The vulnerability affects boards using the Nuvoton NuMaker HSUSBD controller (CONFIG_UDC_NUMAKER with DT_HAS_NUVOTON_NUMAKER_HSUSBD_ENABLED).

Vendor
Nuvoton
Product
NuMaker HSUSBD USB device‑controller (driver)
CVSS
LOW 2.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-12
Original CVE updated
2026-07-12
Advisory published
2026-07-12
Advisory updated
2026-07-12

Who should care

Users of the Nuvoton NuMaker HSUSBD controller, specifically those with boards using CONFIG_UDC_NUMAKER with DT_HAS_NUVOTON_NUMAKER_HSUSBD_ENABLED, should be aware of this vulnerability and take necessary precautions. Operators and security teams should review the vulnerability and implement compensating controls for exposed systems while remediation is scheduled and verified.

Technical summary

The vulnerability is caused by the unconditional arming of the control Data IN stage in the numaker_hsusbd_ep_trigger function. A fix is available that monitors the IN-token and new-SETUP events and only arms control Data IN when an IN token is present and no new SETUP has arrived. The fix prevents a malicious or buggy host from repeatedly cancel-and-re-SETUP to wedge the device's USB control endpoint. The vulnerability has a CVSS score of 2.4 and a severity of LOW.

Defensive priority

Low

Recommended defensive actions

  • Inventory and verify affected systems
  • Apply vendor patches or updates
  • Monitor for suspicious USB activity
  • Implement compensating controls, such as USB traffic monitoring
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-07-12T17:16:24.787Z and has not been modified since then. The NVD entry is currently in the 'Received' status. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The vulnerability affects boards using the Nuvoton NuMaker HSUSBD controller (CONFIG_UDC_NUMAKER with DT_HAS_NUVOTON_NUMAKER_HSUSBD_ENABLED).

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-12T17:16:24.787Z and has not been modified since then. The NVD entry is currently Received.