Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68622

CVE-2025-68622: ESP-IDF UVC Driver Buffer Overflow Flaw

CVE-2025-68622 is a stack buffer overflow in Espressif ESP-IDF UVC driver that lets malicious USB devices corrupt memory during descriptor parsing. This article covers the technical details, affected versions, and patches.

Updated:

CVE-2025-68622 Overview

A stack buffer overflow vulnerability exists in the Espressif ESP-IDF USB Host UVC Class Driver prior to version 2.4.0. The vulnerability is located in the esp-usb UVC host implementation and can be triggered by a malicious USB Video Class (UVC) device during configuration-descriptor parsing. When UVC configuration-descriptor printing is enabled, the host prints detailed descriptor information provided by the connected USB device. A specially crafted UVC descriptor may advertise an excessively large length value that is not validated before being copied into a fixed-size stack buffer, allowing an attacker with physical access to overflow the buffer and corrupt memory.

Critical Impact

Physical attackers with a malicious USB device can achieve stack buffer overflow leading to potential memory corruption, arbitrary code execution, or system compromise on affected ESP-IDF IoT devices.

Affected Products

  • Espressif ESP-IDF USB Host UVC Class Driver versions prior to 2.4.0
  • esp-usb component with UVC host implementation
  • IoT devices using vulnerable ESP-IDF USB host stack

Discovery Timeline

  • 2026-01-12 - CVE CVE-2025-68622 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-68622

Vulnerability Analysis

This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow), a memory corruption issue that occurs when a program writes data beyond the boundaries of a fixed-size stack buffer. The attack requires physical access to the target device, meaning an attacker must be able to connect a malicious USB device directly to the vulnerable system.

The vulnerability manifests in the descriptor parsing logic of the USB Host UVC driver. When configuration-descriptor printing functionality is enabled, the driver processes and displays detailed information about connected USB devices. The flaw occurs because the driver trusts the length field provided within the UVC descriptor without proper validation, then uses this untrusted value to determine how much data to copy into a stack-allocated buffer of fixed size.

Root Cause

The root cause is improper input validation (CWE-121) in the UVC configuration-descriptor parsing code. The vulnerability stems from the driver failing to validate that the length field in a UVC descriptor does not exceed the size of the destination stack buffer before performing the copy operation. This lack of bounds checking allows a malicious device to specify an arbitrarily large length value, causing the copy operation to write beyond the buffer boundary and overwrite adjacent stack memory including return addresses and saved registers.

Attack Vector

Exploitation requires physical access to the target device. An attacker must craft a malicious USB Video Class device with a specially constructed configuration descriptor containing an oversized length field. When this device is connected to a vulnerable ESP-IDF system with UVC descriptor printing enabled, the parsing logic reads the malicious length value and attempts to copy the corresponding amount of data into a fixed-size stack buffer, resulting in a stack buffer overflow.

The attack flow involves:

  1. Attacker crafts a malicious USB device with a UVC descriptor containing an excessively large length value
  2. Malicious device is connected to the target ESP-IDF system
  3. The UVC host driver parses the configuration descriptor
  4. The untrusted length value causes the copy operation to overflow the stack buffer
  5. Stack memory corruption occurs, potentially overwriting return addresses and enabling code execution

For detailed technical information about the vulnerability mechanism and the fix, see the GitHub Security Advisory GHSA-g65h-9ggq-9827.

Detection Methods for CVE-2025-68622

Indicators of Compromise

  • Unexpected system crashes or reboots when USB devices are connected
  • Stack corruption errors or memory access violations in UVC driver logs
  • Anomalous behavior from IoT devices after USB device connections
  • Firmware integrity check failures on ESP-IDF based devices

Detection Strategies

  • Monitor device logs for stack overflow or memory corruption exceptions
  • Implement USB device whitelisting to block unauthorized devices
  • Deploy physical security controls to prevent unauthorized USB device connections
  • Perform firmware version audits to identify devices running esp-usb versions prior to 2.4.0

Monitoring Recommendations

  • Enable verbose logging for USB host operations where feasible
  • Monitor for abnormal UVC descriptor sizes in device connection events
  • Implement alerting for repeated device crashes or exceptions during USB enumeration
  • Track USB device connection events across IoT fleet deployments

How to Mitigate CVE-2025-68622

Immediate Actions Required

  • Upgrade esp-usb component to version 2.4.0 or later immediately
  • Disable UVC configuration-descriptor printing if not required for operations
  • Implement physical security controls to prevent unauthorized USB device connections
  • Audit all ESP-IDF deployments to identify affected firmware versions

Patch Information

The vulnerability is fixed in esp-usb version 2.4.0. Espressif has released a security patch that adds proper validation of descriptor length fields before copying data into stack buffers. The fix ensures that oversized length values in UVC descriptors cannot cause buffer overflows.

Patch details are available in the Espressif USB Host UVC Changelog and the specific GitHub commit 77a38b15 that addresses this vulnerability.

Workarounds

  • Disable UVC configuration-descriptor printing functionality if upgrading is not immediately possible
  • Restrict physical access to USB ports on affected devices
  • Implement USB device authentication or whitelisting where supported
  • Isolate vulnerable IoT devices from critical infrastructure until patching is complete
bash
# Configuration example
# Update esp-usb component to patched version
idf.py add-dependency "espressif/usb_host_uvc>=2.4.0"

# Rebuild and flash firmware
idf.py build
idf.py flash

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.