PatchSiren cyber security CVE debrief
CVE-2026-10663 zephyrproject CVE debrief
CVE-2026-10663 is a use-after-free vulnerability in Zephyr's experimental USB host stack (CONFIG_USB_HOST_STACK). The vulnerability occurs because the usbh_device_disconnect() function in subsys/usb/host/usbh_device.c frees the root usb_device slab object without clearing the cached pointer ctx->root. The bus removal handler dev_removed_handler() in subsys/usb/host/usbh_core.c then uses this dangling pointer, leading to a use-after-free condition. This can cause denial of service (crash) and memory corruption. The attack vector is physical/local.
- Vendor
- zephyrproject
- Product
- zephyr
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-12
- Original CVE updated
- 2026-07-12
- Advisory published
- 2026-07-12
- Advisory updated
- 2026-07-12
Who should care
Organizations using Zephyr's experimental USB host stack (CONFIG_USB_HOST_STACK) should be aware of this vulnerability. This vulnerability requires physical access to the USB port to exploit, making it a concern for devices exposed to untrusted physical access.
Technical summary
The vulnerability is caused by a use-after-free error in the Zephyr USB host stack. When a device is disconnected, the usbh_device_disconnect() function frees the root usb_device slab object but does not clear the cached pointer ctx->root. The dev_removed_handler() function then checks ctx->root and, if it is non-NULL, proceeds to tear down the device. An attacker with physical USB access can cause a second device-removed event after a root device disconnect, leading to a use-after-free condition. This results in a denial of service (crash) and potential memory corruption.
Defensive priority
High
Recommended defensive actions
- Apply the official patch or update to a version of Zephyr that includes the fix.
- Implement compensating controls to limit physical access to USB ports.
- Monitor for suspicious USB activity.
- Perform regular inventory checks to ensure all devices are accounted for.
- Review USB port access controls to prevent unauthorized access.
- Track exceptions and retest remediated assets to ensure effectiveness.
- Verify that all devices are properly configured and secured.
Evidence notes
The CVE record was published on 2026-07-12T17:16:23.120Z and has not been modified since then. The NVD entry is currently being reviewed. Organizations should verify their exposure and apply compensating controls as needed. Defensive verification tasks include reviewing USB port access controls and monitoring for suspicious USB activity.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-12T17:16:23.120Z and has not been modified since then.