{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-10647","assignerOrgId":"e2e69745-5e70-4e92-8431-deb5529a81ad","state":"PUBLISHED","assignerShortName":"zephyr","dateReserved":"2026-06-02T15:11:50.331Z","datePublished":"2026-06-29T21:39:08.442Z","dateUpdated":"2026-06-30T13:33:34.044Z"},"containers":{"cna":{"providerMetadata":{"orgId":"e2e69745-5e70-4e92-8431-deb5529a81ad","shortName":"zephyr","dateUpdated":"2026-06-29T21:39:08.442Z"},"title":"Deadlock denial of service in USB CDC-NCM device class on TX enqueue failure","descriptions":[{"lang":"en","value":"The USB CDC-NCM device class (subsys/usb/device_next/class/usbd_cdc_ncm.c) ignores the return value of usbd_ep_enqueue() in its ethernet transmit callback cdc_ncm_send(). When the enqueue fails, the function still calls k_sem_take(&data-sync_sem, K_FOREVER), blocking on a completion semaphore that is only ever signaled from the bulk-IN transfer-completion callback. Because nothing was enqueued, that callback never fires and the calling thread — a shared network traffic-class TX thread — deadlocks permanently while holding the interface TX lock, halting transmission until reboot (and leaking the transmit buffer).\n\nThe enqueue fails under conditions controlled by the attached USB host: usbd_ep_enqueue() returns -EPERM whenever the bus is suspended (a standard, persistent host operation), and the underlying udc_ep_enqueue() returns -EPERM/-ENODEV on disconnect, bus reset, or endpoint disable. The cdc_ncm_send() guard only checks the DATA_IFACE_ENABLED and IFACE_UP flags, not the suspended state, so a packet transmitted while the host holds the bus suspended reaches the failing enqueue and deadlocks the TX path.\n\nThe realistic trigger is a bus suspend that occurs while the exported network interface is active and has traffic to send — host sleep, USB selective/auto-suspend, or hub power management — after which any device-originated packet deadlocks the path, recoverable only by reboot. The impact is a persistent loss of the virtual network connection between the host's NCM interface and the Zephyr device; because the deadlocked thread is a shared traffic-class TX thread, egress on other network interfaces can stall as well. There is no memory corruption or information disclosure.\n\nThe defect was introduced with the CDC-NCM driver and shipped in releases through v4.4.0; it is fixed by checking the usbd_ep_enqueue() return value and freeing the buffer before the blocking wait."}],"affected":[{"vendor":"zephyrproject","product":"zephyr","collectionURL":"https://github.com/zephyrproject-rtos/zephyr","packageName":"zephyr","defaultStatus":"unaffected","versions":[{"version":"4.1.0","status":"affected","lessThan":"4.5.0","versionType":"semver"}]}],"references":[{"url":"https://github.com/zephyrproject-rtos/zephyr/commit/255bccc1badd1aa06c6e5ddf5b40de8463b33f02","name":"Fix commit","tags":["patch"]},{"url":"https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-xcf7-r86m-5q9f","name":"GHSA-xcf7-r86m-5q9f"}],"metrics":[{"format":"CVSS","cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":5.3,"baseSeverity":"MEDIUM"}}],"problemTypes":[{"descriptions":[{"lang":"en","description":"dos","cweId":"CWE-833","type":"CWE"}]}],"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-30T13:33:24.759453Z","id":"CVE-2026-10647","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-30T13:33:34.044Z"}}]}}