Description
Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.
Published: 2026-03-14
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (infinite USB interrupt loop)
Action: Apply Patch
AI Analysis

Impact

An flaw in the STM32 USB device controller driver embedded in Zephyr RTOS causes the interrupt handler to enter an endless loop when processing USB events. This unchecked loop, classified as CWE‑835, prevents the kernel from servicing other tasks, effectively freezing the system and denying service to legitimate USB operations.

Affected Systems

The vulnerability resides in the Zephyr RTOS STM32 USB device driver (drivers/usb/device/usb_dc_stm32.c). Every Zephyr build that includes this driver may be impacted, as no specific version was identified in the advisory.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker could trigger the infinite loop by interacting with the USB subsystem, for example by sending malformed USB packets or by connecting a compromised peripheral. If the system permits USB access from untrusted sources, the denial of service could affect any user relying on USB functionality.

Generated by OpenCVE AI on April 3, 2026 at 00:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Zephyr patch that resolves the STM32 USB driver issue or upgrade to a release that includes the fix
  • If patching is not immediately possible, disable or tightly restrict USB device functionality on the embedded system
  • Monitor CPU usage and thread states for abnormal activity that may indicate an infinite loop
  • Review Zephyr security advisories regularly to stay informed about new patches

Generated by OpenCVE AI on April 3, 2026 at 00:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject
Zephyrproject zephyr
CPEs cpe:2.3:o:zephyrproject:zephyr:*:*:*:*:*:*:*:*
Vendors & Products Zephyrproject
Zephyrproject zephyr

Mon, 16 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject-rtos
Zephyrproject-rtos zephyr
Vendors & Products Zephyrproject-rtos
Zephyrproject-rtos zephyr

Sat, 14 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.
Title stm32: usb: Infinite while loop in Interrupt Handler
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Zephyrproject Zephyr
Zephyrproject-rtos Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-03-16T19:21:28.420Z

Reserved: 2026-03-14T21:31:58.213Z

Link: CVE-2026-4179

cve-icon Vulnrichment

Updated: 2026-03-16T19:21:20.951Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:58.400

Modified: 2026-04-02T20:45:41.860

Link: CVE-2026-4179

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:39:27Z

Weaknesses