FKIE_CVE-2025-68657

Vulnerability from fkie_nvd - Published: 2026-01-12 18:15 - Updated: 2026-01-22 15:47
Severity ?
6.4 (Medium) - CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0.
References
security-advisories@github.comhttps://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelogRelease Notes
security-advisories@github.comhttps://github.com/espressif/esp-usb/commit/cd28106e9f72ac2719682c06f94601f9f034390bPatch
security-advisories@github.comhttps://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfvVendor Advisory, Patch
Impacted products
Vendor Product Version
espressif usb_host_hid_driver *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:espressif:usb_host_hid_driver:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "139CC02D-BC53-4537-B250-9AD6B260F309",
              "versionEndExcluding": "1.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0."
    },
    {
      "lang": "es",
      "value": "El controlador Espressif ESP-IDF USB Host HID (dispositivo de interfaz humana) permite el acceso a dispositivos HID. Antes de la versi\u00f3n 1.1.0, las llamadas a hid_host_device_close() pueden liberar la misma usb_transfer_t dos veces. La devoluci\u00f3n de llamada de eventos USB y el c\u00f3digo de usuario comparten el estado de hid_iface_t sin bloqueo, por lo que ambos pueden desmantelar una interfaz READY simult\u00e1neamente, corrompiendo los metadatos del heap dentro de la pila de host USB de ESP. Esta vulnerabilidad se corrige en la versi\u00f3n 1.1.0."
    }
  ],
  "id": "CVE-2025-68657",
  "lastModified": "2026-01-22T15:47:26.980",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.5,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-12T18:15:48.610",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/espressif/esp-usb/commit/cd28106e9f72ac2719682c06f94601f9f034390b"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory",
        "Patch"
      ],
      "url": "https://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-415"
        },
        {
          "lang": "en",
          "value": "CWE-667"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.