FKIE_CVE-2025-68622

Vulnerability from fkie_nvd - Published: 2026-01-12 17:15 - Updated: 2026-01-22 15:50
Severity ?
6.8 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) device to trigger a stack buffer overflow during configuration-descriptor parsing. When UVC configuration-descriptor printing is enabled, the host prints detailed descriptor information provided by the connected USB device. A specially crafted UVC descriptor may advertise an excessively large length. Because this value is not validated before being copied into a fixed-size stack buffer, an attacker can overflow the buffer and corrupt memory. This vulnerability is fixed in 2.4.0.
References
security-advisories@github.comhttps://components.espressif.com/components/espressif/usb_host_uvc/versions/2.4.0/changelogRelease Notes
security-advisories@github.comhttps://github.com/espressif/esp-usb/commit/77a38b15a17f6e3c7aeb620eb4aeaf61d5194cc0Patch
security-advisories@github.comhttps://github.com/espressif/esp-usb/security/advisories/GHSA-g65h-9ggq-9827Vendor Advisory, Patch
Impacted products
Vendor Product Version
espressif usb_host_uvc_class_driver *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:espressif:usb_host_uvc_class_driver:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "106F8B83-D544-4E82-B369-FA77389285F9",
              "versionEndExcluding": "2.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) device to trigger a stack buffer overflow during configuration-descriptor parsing. When UVC configuration-descriptor printing is enabled, the host prints detailed descriptor information provided by the connected USB device. A specially crafted UVC descriptor may advertise an excessively large length. Because this value is not validated before being copied into a fixed-size stack buffer, an attacker can overflow the buffer and corrupt memory. This vulnerability is fixed in 2.4.0."
    },
    {
      "lang": "es",
      "value": "El controlador de clase UVC de host USB de Espressif ESP-IDF permite la transmisi\u00f3n de video desde c\u00e1maras USB. Antes de la versi\u00f3n 2.4.0, una vulnerabilidad en la implementaci\u00f3n de host UVC de esp-usb permite que un dispositivo malicioso de clase de video USB (UVC) active un desbordamiento de b\u00fafer de pila durante el an\u00e1lisis del descriptor de configuraci\u00f3n. Cuando la impresi\u00f3n del descriptor de configuraci\u00f3n UVC est\u00e1 habilitada, el host imprime informaci\u00f3n detallada del descriptor proporcionada por el dispositivo USB conectado. Un descriptor UVC especialmente dise\u00f1ado puede anunciar una longitud excesivamente grande. Debido a que este valor no se valida antes de ser copiado en un b\u00fafer de pila de tama\u00f1o fijo, un atacante puede desbordar el b\u00fafer y corromper la memoria. Esta vulnerabilidad se corrige en la versi\u00f3n 2.4.0."
    }
  ],
  "id": "CVE-2025-68622",
  "lastModified": "2026-01-22T15:50:31.880",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-12T17:15:53.050",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://components.espressif.com/components/espressif/usb_host_uvc/versions/2.4.0/changelog"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/espressif/esp-usb/commit/77a38b15a17f6e3c7aeb620eb4aeaf61d5194cc0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory",
        "Patch"
      ],
      "url": "https://github.com/espressif/esp-usb/security/advisories/GHSA-g65h-9ggq-9827"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-121"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.