CVE-2025-68656

Published: Jan 12, 2026Modified: Jan 22, 2026

6.8

Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 0.9 / Impact: 5.9

Source: security-advisories@github.com (Secondary)

Description

Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is requested but continues to use the stale local pointer, leading to an immediate use-after-free when processing attacker-controlled Report Descriptor lengths. This vulnerability is fixed in 1.1.0.

Affected (1)

Products: Espressif: Usb Host Hid Driver

1 product

Usb Host Hid Driver

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Espressif Usb Host Hid Driver	Before 1.1.0

Related CWEs

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

References (3)

https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog

Source: security-advisories@github.com

Release Notes

https://github.com/espressif/esp-usb/commit/81b37c96593c0bec92ef14c6ee6bf8cab8d8f660

Source: security-advisories@github.com

Patch

https://github.com/espressif/esp-usb/security/advisories/GHSA-2pm2-62mr-c9x7

Source: security-advisories@github.com

PatchVendor Advisory

Timeline

No history available yet.