{"id":"CVE-2025-68656","summary":"Espressif ESP-IDF USB Host HID (Human Interface Device) Driver Descriptor Use-After-Free Vulnerability","details":"Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device-\u003ectrl_xfer when an oversized descriptor is requested but continues to use the stale local pointer, leading to an immediate use-after-free when processing attacker-controlled Report Descriptor lengths. This vulnerability is fixed in 1.1.0.","aliases":["GHSA-2pm2-62mr-c9x7"],"modified":"2026-01-24T05:49:59.290187Z","published":"2026-01-12T17:23:19.393Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68656.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-416"]},"references":[{"type":"WEB","url":"https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68656.json"},{"type":"FIX","url":"https://github.com/espressif/esp-usb/commit/81b37c96593c0bec92ef14c6ee6bf8cab8d8f660"},{"type":"ADVISORY","url":"https://github.com/espressif/esp-usb/security/advisories/GHSA-2pm2-62mr-c9x7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68656"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/espressif/esp-usb","events":[{"introduced":"0"},{"fixed":"81b37c96593c0bec92ef14c6ee6bf8cab8d8f660"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68656.json","vanir_signatures":[{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["30573588756043735646226924571064505577","23911667416852953725167665379109266753","33166015126901929289317497830519526768","104260068353780769148812606905544769287","7812249450478543112833420089341392170","87786414630597171720591260029246164445","56774712647867641726989552907116976921","259900246121263847868352100350503105051"]},"source":"https://github.com/espressif/esp-usb/commit/81b37c96593c0bec92ef14c6ee6bf8cab8d8f660","target":{"file":"host/class/hid/usb_host_hid/test_app/main/test_hid_basic.c"},"signature_type":"Line","id":"CVE-2025-68656-1458d7f6","deprecated":false},{"signature_version":"v1","digest":{"length":858,"function_hash":"9342089019325999056679554263420905961"},"source":"https://github.com/espressif/esp-usb/commit/81b37c96593c0bec92ef14c6ee6bf8cab8d8f660","target":{"function":"hid_host_install_device","file":"host/class/hid/usb_host_hid/hid_host.c"},"signature_type":"Function","id":"CVE-2025-68656-612358cc","deprecated":false},{"signature_version":"v1","digest":{"length":1487,"function_hash":"108607147983006969163785848662868780293"},"source":"https://github.com/espressif/esp-usb/commit/81b37c96593c0bec92ef14c6ee6bf8cab8d8f660","target":{"function":"usb_class_request_get_descriptor","file":"host/class/hid/usb_host_hid/hid_host.c"},"signature_type":"Function","id":"CVE-2025-68656-71430e58","deprecated":false},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["28425058976442883315737745156273014428","161522489015459116336640338878484415553","251827597518431817758565970001274792046","320640235656502241084909974052448744943","156825895259398369196331483210007288931","212083530847573584389791588372978610980","250681035091624444688397517552560928994","321348487290859793544921390086787353758","118495057352433583449636518590724759979","285567286893184623516964851943801043604","141779320287872826577826447010504602735","102005580422893304879937562354224173590","20278796678253212653630947733354121818","149236248529896685834625529077043315813","88162399843979378308659898305405453594","192259400523435597261546612104167587624","91117872813100645860192280327061381277","106620973041469152816559002625696783708","16349469642712436941292686513512784675","200876151116197210280128004739889858777","212256096070837805518628230549286893812","111958907429725610982438696333292386272","32408084092445821195742608458631870437","80082423418012376483990991491280458254","233648505953951797188511084875411529115","225359350596965484968339054689649202709","54485289847391165439903047055548932321","119659045062870254072934941046727265130","171452440065868064727010315727099274407","144579667792973117322792525635186940434","239075532477601871254146648245515128718","44448667522050194197936632721420516274","87910990248643795459505896691511783272","239256771868193941581438817935769586903","130718469705183504804758929707821288664","54479226793597121194696118718431540024","150203824154907256606604897146914945230","275736503956006538418599807761605580901","272807343216455469867383182785929622799","6910206916613769815008259151989503436","49978950435798412755146335978971265562","214606511111825038341187911693881556603","128413812614670138920699797134130425818"]},"source":"https://github.com/espressif/esp-usb/commit/81b37c96593c0bec92ef14c6ee6bf8cab8d8f660","target":{"file":"host/class/hid/usb_host_hid/hid_host.c"},"signature_type":"Line","id":"CVE-2025-68656-e7ec228d","deprecated":false}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}