{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4179", "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "state": "PUBLISHED", "assignerShortName": "zephyr", "dateReserved": "2026-03-14T21:31:58.213Z", "datePublished": "2026-03-14T21:51:33.203Z", "dateUpdated": "2026-03-16T19:21:28.420Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "Zephyr", "product": "Zephyr", "repo": "https://github.com/zephyrproject-rtos/zephyr", "vendor": "zephyrproject-rtos", "versions": [{"lessThanOrEqual": "4.3", "status": "affected", "version": "*", "versionType": "git"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "stm32: usb: Infinite while loop in Interrupt Handler"}], "value": "Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-835", "description": "Loop with Unreachable Exit Condition ('Infinite Loop')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr", "dateUpdated": "2026-03-14T21:51:33.203Z"}, "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-9xg7-g3q3-9prf"}], "source": {"discovery": "UNKNOWN"}, "title": "stm32: usb: Infinite while loop in Interrupt Handler", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-9xg7-g3q3-9prf", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T19:21:06.615239Z", "id": "CVE-2026-4179", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:21:28.420Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4179", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T19:21:06.615239Z"}}}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-9xg7-g3q3-9prf", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:21:20.951Z"}}], "cna": {"title": "stm32: usb: Infinite while loop in Interrupt Handler", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/zephyrproject-rtos/zephyr", "vendor": "zephyrproject-rtos", "product": "Zephyr", "versions": [{"status": "affected", "version": "*", "versionType": "git", "lessThanOrEqual": "4.3"}], "packageName": "Zephyr", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-9xg7-g3q3-9prf"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.", "supportingMedia": [{"type": "text/html", "value": "stm32: usb: Infinite while loop in Interrupt Handler", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-835", "description": "Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "providerMetadata": {"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr", "dateUpdated": "2026-03-14T21:51:33.203Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4179", "state": "PUBLISHED", "dateUpdated": "2026-03-16T19:21:28.420Z", "dateReserved": "2026-03-14T21:31:58.213Z", "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "datePublished": "2026-03-14T21:51:33.203Z", "assignerShortName": "zephyr"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zephyrproject:zephyr:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D912614-A39E-4C9B-AA54-187BC26337B9", "versionEndIncluding": "4.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop."}, {"lang": "es", "value": "Problemas en el controlador de dispositivo USB stm32 (drivers/usb/device/usb_dc_stm32.c) pueden llevar a un bucle while infinito."}], "id": "CVE-2026-4179", "lastModified": "2026-04-02T20:45:41.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}]}, "published": "2026-03-16T14:19:58.400", "references": [{"source": "vulnerabilities@zephyrproject.org", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-9xg7-g3q3-9prf"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-9xg7-g3q3-9prf"}], "sourceIdentifier": "vulnerabilities@zephyrproject.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Zephyr", "source": "cna", "vendor": "zephyrproject-rtos"}, "product": "zephyr", "vendor": "zephyrproject-rtos"}], "analysis": {"en": {"generated_at": "2026-04-03T00:52:17.314259+00:00", "value": {"mitigation_remediation": ["Apply the Zephyr patch that resolves the STM32 USB driver issue or upgrade to a release that includes the fix", "If patching is not immediately possible, disable or tightly restrict USB device functionality on the embedded system", "Monitor CPU usage and thread states for abnormal activity that may indicate an infinite loop", "Review Zephyr security advisories regularly to stay informed about new patches"], "summary": {"action": "Apply Patch", "impact": "Denial of Service (infinite USB interrupt loop)"}, "threat_synthesis": {"affected_systems": "The vulnerability resides in the Zephyr RTOS STM32 USB device driver (drivers/usb/device/usb_dc_stm32.c). Every Zephyr build that includes this driver may be impacted, as no specific version was identified in the advisory.", "description_and_impact": "An flaw in the STM32 USB device controller driver embedded in Zephyr RTOS causes the interrupt handler to enter an endless loop when processing USB events. This unchecked loop, classified as CWE\u2011835, prevents the kernel from servicing other tasks, effectively freezing the system and denying service to legitimate USB operations.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that an attacker could trigger the infinite loop by interacting with the USB subsystem, for example by sending malformed USB packets or by connecting a compromised peripheral. If the system permits USB access from untrusted sources, the denial of service could affect any user relying on USB functionality."}}}}, "created": "2026-03-16T09:22:18.122848+00:00", "updated": "2026-04-03T09:39:27.858531+00:00", "vendors": ["zephyrproject-rtos", "zephyrproject-rtos$PRODUCT$zephyr"]}