CVE-2025-68622 Overview
A stack buffer overflow vulnerability exists in the Espressif ESP-IDF USB Host UVC Class Driver prior to version 2.4.0. The vulnerability is located in the esp-usb UVC host implementation and can be triggered by a malicious USB Video Class (UVC) device during configuration-descriptor parsing. When UVC configuration-descriptor printing is enabled, the host prints detailed descriptor information provided by the connected USB device. A specially crafted UVC descriptor may advertise an excessively large length value that is not validated before being copied into a fixed-size stack buffer, allowing an attacker with physical access to overflow the buffer and corrupt memory.
Critical Impact
Physical attackers with a malicious USB device can achieve stack buffer overflow leading to potential memory corruption, arbitrary code execution, or system compromise on affected ESP-IDF IoT devices.
Affected Products
- Espressif ESP-IDF USB Host UVC Class Driver versions prior to 2.4.0
- esp-usb component with UVC host implementation
- IoT devices using vulnerable ESP-IDF USB host stack
Discovery Timeline
- 2026-01-12 - CVE CVE-2025-68622 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68622
Vulnerability Analysis
This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow), a memory corruption issue that occurs when a program writes data beyond the boundaries of a fixed-size stack buffer. The attack requires physical access to the target device, meaning an attacker must be able to connect a malicious USB device directly to the vulnerable system.
The vulnerability manifests in the descriptor parsing logic of the USB Host UVC driver. When configuration-descriptor printing functionality is enabled, the driver processes and displays detailed information about connected USB devices. The flaw occurs because the driver trusts the length field provided within the UVC descriptor without proper validation, then uses this untrusted value to determine how much data to copy into a stack-allocated buffer of fixed size.
Root Cause
The root cause is improper input validation (CWE-121) in the UVC configuration-descriptor parsing code. The vulnerability stems from the driver failing to validate that the length field in a UVC descriptor does not exceed the size of the destination stack buffer before performing the copy operation. This lack of bounds checking allows a malicious device to specify an arbitrarily large length value, causing the copy operation to write beyond the buffer boundary and overwrite adjacent stack memory including return addresses and saved registers.
Attack Vector
Exploitation requires physical access to the target device. An attacker must craft a malicious USB Video Class device with a specially constructed configuration descriptor containing an oversized length field. When this device is connected to a vulnerable ESP-IDF system with UVC descriptor printing enabled, the parsing logic reads the malicious length value and attempts to copy the corresponding amount of data into a fixed-size stack buffer, resulting in a stack buffer overflow.
The attack flow involves:
- Attacker crafts a malicious USB device with a UVC descriptor containing an excessively large length value
- Malicious device is connected to the target ESP-IDF system
- The UVC host driver parses the configuration descriptor
- The untrusted length value causes the copy operation to overflow the stack buffer
- Stack memory corruption occurs, potentially overwriting return addresses and enabling code execution
For detailed technical information about the vulnerability mechanism and the fix, see the GitHub Security Advisory GHSA-g65h-9ggq-9827.
Detection Methods for CVE-2025-68622
Indicators of Compromise
- Unexpected system crashes or reboots when USB devices are connected
- Stack corruption errors or memory access violations in UVC driver logs
- Anomalous behavior from IoT devices after USB device connections
- Firmware integrity check failures on ESP-IDF based devices
Detection Strategies
- Monitor device logs for stack overflow or memory corruption exceptions
- Implement USB device whitelisting to block unauthorized devices
- Deploy physical security controls to prevent unauthorized USB device connections
- Perform firmware version audits to identify devices running esp-usb versions prior to 2.4.0
Monitoring Recommendations
- Enable verbose logging for USB host operations where feasible
- Monitor for abnormal UVC descriptor sizes in device connection events
- Implement alerting for repeated device crashes or exceptions during USB enumeration
- Track USB device connection events across IoT fleet deployments
How to Mitigate CVE-2025-68622
Immediate Actions Required
- Upgrade esp-usb component to version 2.4.0 or later immediately
- Disable UVC configuration-descriptor printing if not required for operations
- Implement physical security controls to prevent unauthorized USB device connections
- Audit all ESP-IDF deployments to identify affected firmware versions
Patch Information
The vulnerability is fixed in esp-usb version 2.4.0. Espressif has released a security patch that adds proper validation of descriptor length fields before copying data into stack buffers. The fix ensures that oversized length values in UVC descriptors cannot cause buffer overflows.
Patch details are available in the Espressif USB Host UVC Changelog and the specific GitHub commit 77a38b15 that addresses this vulnerability.
Workarounds
- Disable UVC configuration-descriptor printing functionality if upgrading is not immediately possible
- Restrict physical access to USB ports on affected devices
- Implement USB device authentication or whitelisting where supported
- Isolate vulnerable IoT devices from critical infrastructure until patching is complete
# Configuration example
# Update esp-usb component to patched version
idf.py add-dependency "espressif/usb_host_uvc>=2.4.0"
# Rebuild and flash firmware
idf.py build
idf.py flash
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

