What is CVE-2026-10647?

CVE-2026-10647 is a medium-severity vulnerability in Zephyrproject Zephyr, classified under CWE-833. CVSS score: 5.3/10. Published 2026-06-29.

How severe is CVE-2026-10647?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Vulnerability in Zephyrproject Zephyr

CVE-2026-10647

The USB CDC-NCM device class (subsys/usb/device_next/class/usbd_cdc_ncm.c) ignores the return value of usbd_ep_enqueue() in its ethernet transmit callback cdc_ncm_send(). When the enqueue fails, the function still calls k_sem_take(&data-sy…

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Zephyrproject Zephyr — versions 4.1.0

Weakness classification (CWE)

CWE-833

References

vulnerabilities@zephyrproject.org (patch)
vulnerabilities@zephyrproject.org

Frequently asked questions

What is CVE-2026-10647?: CVE-2026-10647 is a medium-severity vulnerability in Zephyrproject Zephyr, classified under CWE-833. CVSS score: 5.3/10. Published 2026-06-29.
How severe is CVE-2026-10647?: Medium severity. CVSS v3 base score is 5.3 out of 10.