Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68656

CVE-2025-68656: ESP-IDF USB Host Use-After-Free Flaw

CVE-2025-68656 is a use-after-free vulnerability in Espressif ESP-IDF USB Host HID Driver that occurs when processing oversized descriptors. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2025-68656 Overview

CVE-2025-68656 is a use-after-free vulnerability in the Espressif ESP-IDF USB Host HID (Human Interface Device) Driver. The vulnerability exists in the usb_class_request_get_descriptor() function, which improperly handles memory when processing oversized descriptor requests. When an attacker provides a malicious HID device with crafted Report Descriptor lengths, the function frees and reallocates hid_device->ctrl_xfer but continues to use a stale local pointer, resulting in an immediate use-after-free condition.

Critical Impact

An attacker with physical access can connect a malicious USB HID device to exploit this use-after-free vulnerability, potentially achieving code execution with high impact to confidentiality, integrity, and availability on affected ESP-IDF devices.

Affected Products

  • Espressif ESP-IDF USB Host HID Driver versions prior to 1.1.0
  • ESP32 and related microcontroller platforms using the vulnerable driver
  • IoT devices and embedded systems utilizing the esp-usb component library

Discovery Timeline

  • 2026-01-12 - CVE CVE-2025-68656 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-68656

Vulnerability Analysis

This use-after-free vulnerability (CWE-416) occurs within the HID host driver's descriptor request handling. When the driver requests a HID descriptor that exceeds the currently allocated buffer size, the code path triggers a reallocation of the ctrl_xfer buffer. However, a local pointer to the original buffer is retained and subsequently used after the buffer has been freed, creating a classic use-after-free condition.

The vulnerability requires physical access to the target device, as an attacker must connect a malicious USB HID device. Despite this constraint, successful exploitation can result in complete compromise of the affected system, impacting confidentiality, integrity, and availability of the device.

Root Cause

The root cause is improper pointer management during buffer reallocation in the usb_class_request_get_descriptor() function. When an oversized descriptor is encountered, the function frees the existing hid_device->ctrl_xfer buffer and allocates a new, larger buffer. The vulnerability arises because a local pointer variable retains the address of the freed buffer and is subsequently dereferenced, leading to undefined behavior and potential code execution.

Attack Vector

The attack requires physical access to the target device's USB port. An attacker must connect a specially crafted malicious USB HID device that advertises an oversized Report Descriptor. The attack sequence is as follows:

  1. Attacker connects a malicious USB HID device to the target ESP32-based system
  2. The device enumerates and advertises a HID descriptor with a crafted oversized length
  3. The vulnerable driver attempts to retrieve the descriptor, triggering the buffer reallocation
  4. The stale pointer is used after the original buffer is freed
  5. Attacker-controlled data in the freed memory region is accessed, potentially leading to code execution

The security fix introduces proper bounds checking and handling for descriptor sizes:

c
// We are allowing realloc ctrl_xfer buffer, so max report desc size is limited by sane value
// based on very large, exotic devices: can go into the low kilobytes
#define HID_MIN_REPORT_DESC_LEN     512u
#define HID_MAX_REPORT_DESC_LEN     2048u

// HID spinlock
static portMUX_TYPE hid_lock = portMUX_INITIALIZER_UNLOCKED;
#define HID_ENTER_CRITICAL()    portENTER_CRITICAL(&hid_lock)

Source: GitHub Commit Changes

Detection Methods for CVE-2025-68656

Indicators of Compromise

  • Unexpected system crashes or reboots when connecting USB HID devices
  • Memory corruption errors or exceptions originating from the HID host driver
  • Unusual USB device enumeration activity with devices reporting abnormally large descriptor sizes
  • Debug logs showing descriptor length values exceeding typical HID device ranges (>2048 bytes)

Detection Strategies

  • Monitor USB enumeration events for HID devices with anomalously large Report Descriptor lengths
  • Implement runtime memory protection mechanisms to detect use-after-free conditions
  • Review system logs for crashes or exceptions within the usb_host_hid component
  • Deploy endpoint detection solutions capable of monitoring embedded device behavior

Monitoring Recommendations

  • Enable verbose logging for USB host operations to capture descriptor negotiation details
  • Implement physical security controls for USB ports on sensitive embedded devices
  • Use memory debugging tools during development to identify use-after-free patterns
  • Monitor for firmware integrity changes that could indicate post-exploitation persistence

How to Mitigate CVE-2025-68656

Immediate Actions Required

  • Update the ESP-IDF USB Host HID Driver to version 1.1.0 or later immediately
  • Disable or physically secure USB ports on production devices where possible
  • Audit all deployed ESP32-based devices for vulnerable driver versions
  • Implement USB device whitelisting to restrict unauthorized HID device connections

Patch Information

The vulnerability is fixed in version 1.1.0 of the Espressif USB Host HID component. The patch introduces proper bounds checking with defined minimum and maximum Report Descriptor lengths (HID_MIN_REPORT_DESC_LEN of 512 bytes and HID_MAX_REPORT_DESC_LEN of 2048 bytes), preventing the dangerous reallocation scenario. Organizations should update to the patched version using the ESP-IDF component manager or by applying the commit 81b37c96593c0bec92ef14c6ee6bf8cab8d8f660 from the esp-usb repository.

For detailed patch information, see the Espressif USB Host HID Changelog and GitHub Security Advisory GHSA-2pm2-62mr-c9x7.

Workarounds

  • Implement physical access controls to prevent unauthorized USB device connections
  • Disable USB host functionality if HID device support is not required for the application
  • Deploy USB port blockers or locks on production devices
  • Consider implementing custom USB device authentication before descriptor processing
bash
# Update ESP-IDF USB Host HID component to patched version
idf.py add-dependency "espressif/usb_host_hid>=1.1.0"

# Verify installed component version
idf.py show-components | grep usb_host_hid

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.