{"id":"CVE-2026-23679","summary":"libusb \u003c 1.0.30 NULL Pointer Dereference in parse_interface()","details":"libusb before version 1.0.30 contains a NULL pointer dereference vulnerability that allows attackers to crash applications by supplying a malformed USB configuration descriptor where an interface claims bNumEndpoints greater than zero but is followed by a class-specific descriptor whose bLength exceeds the remaining buffer size, causing parse_interface() to return early without allocating the endpoint array. Attackers can exploit this flaw through libusb_get_active_config_descriptor or libusb_get_config_descriptor by providing crafted descriptors via virtualized USB passthrough, file-based descriptor parsing, or network sources, causing any application iterating over endpoints to dereference a NULL endpoint pointer and crash.","modified":"2026-07-08T08:12:26.120523060Z","published":"2026-05-27T13:21:37.035Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23679.json","cwe_ids":["CWE-125"],"cna_assigner":"VulnCheck"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23679.json"},{"type":"ADVISORY","url":"https://github.com/libusb/libusb/releases/tag/v1.0.30"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23679"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/libusb-null-pointer-dereference-in-parse-interface"},{"type":"REPORT","url":"https://github.com/libusb/libusb/issues/1813"},{"type":"REPORT","url":"https://github.com/libusb/libusb/pull/1814"},{"type":"FIX","url":"https://github.com/libusb/libusb/commit/578ab76b4c434f8b204137ab6d7310689c7a9704"},{"type":"PACKAGE","url":"https://github.com/libusb/libusb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libusb/libusb","events":[{"introduced":"0"},{"fixed":"87a55632db62c9bdc58cd31d3ccfa673f1bb017f"},{"fixed":"578ab76b4c434f8b204137ab6d7310689c7a9704"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.0.30"}],"cpe":"cpe:2.3:a:libusb:libusb:*:*:*:*:*:*:*:*","source":["CPE_RANGE","REFERENCES"]}}],"versions":["v1.0.30-rc2","v1.0.30-rc1","v1.0.29","v1.0.28","v1.0.28-rc1","v1.0.27","v1.0.27-rc2","v1.0.27-rc1","v1.0.26","v1.0.26-rc1","v1.0.25","v1.0.25-rc1","v1.0.24","v1.0.24-rc1","v1.0.23","v1.0.23-rc3","v1.0.23-rc2","v1.0.23-rc1","v1.0.22","v1.0.22-rc4","v1.0.22-rc3","v1.0.22-rc2","v1.0.22-rc1","v1.0.21","v1.0.21-rc6","v1.0.21-rc5","v1.0.21-rc4","v1.0.21-rc3","v1.0.21-rc2","v1.0.21-rc1","v1.0.20","v1.0.20-rc3","v1.0.20-rc2","v1.0.20-rc1","v1.0.19","v1.0.19-rc2","v1.0.19-rc1","v1.0.18","v1.0.18-rc1","v1.0.17","v1.0.17-rc1","v1.0.16","v1.0.16-rc3","v1.0.16-rc2","v1.0.16-rc1","v1.0.15","v1.0.15-rc3","v1.0.15-rc2","v1.0.15-rc1","v1.0.14","v1.0.13","v1.0.13-rc2","v1.0.13-rc1","v1.0.12","v1.0.12-rc1","v1.0.11","v1.0.11-rc1","v1.0.10","v1.0.10-rc1","v1.0.9","v1.0.9-rc5","v1.0.9-rc4","v1.0.8","v1.0.7","v1.0.6","v1.0.5","v1.0.4","v1.0.3","v1.0.2","v1.0.1","v1.0.0","v0.9.4","v0.9.3","v0.9.2","v0.9.1","v0.9.0","academic-demo"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23679.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}