The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68656

CVE-2025-68656: ESP-IDF USB Host Use-After-Free Flaw

CVE-2025-68656 is a use-after-free vulnerability in Espressif ESP-IDF USB Host HID Driver that occurs when processing oversized descriptors. This article covers the technical details, affected versions, and mitigation.

Updated: January 22, 2026

CVE-2025-68656 Overview

CVE-2025-68656 is a use-after-free vulnerability in the Espressif ESP-IDF USB Host HID (Human Interface Device) Driver. The vulnerability exists in the usb_class_request_get_descriptor() function, which improperly handles memory when processing oversized descriptor requests. When an attacker provides a malicious HID device with crafted Report Descriptor lengths, the function frees and reallocates hid_device->ctrl_xfer but continues to use a stale local pointer, resulting in an immediate use-after-free condition.

Critical Impact

An attacker with physical access can connect a malicious USB HID device to exploit this use-after-free vulnerability, potentially achieving code execution with high impact to confidentiality, integrity, and availability on affected ESP-IDF devices.

Affected Products

  • Espressif ESP-IDF USB Host HID Driver versions prior to 1.1.0
  • ESP32 and related microcontroller platforms using the vulnerable driver
  • IoT devices and embedded systems utilizing the esp-usb component library

Discovery Timeline

  • 2026-01-12 - CVE CVE-2025-68656 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-68656

Vulnerability Analysis

This use-after-free vulnerability (CWE-416) occurs within the HID host driver's descriptor request handling. When the driver requests a HID descriptor that exceeds the currently allocated buffer size, the code path triggers a reallocation of the ctrl_xfer buffer. However, a local pointer to the original buffer is retained and subsequently used after the buffer has been freed, creating a classic use-after-free condition.

The vulnerability requires physical access to the target device, as an attacker must connect a malicious USB HID device. Despite this constraint, successful exploitation can result in complete compromise of the affected system, impacting confidentiality, integrity, and availability of the device.

Root Cause

The root cause is improper pointer management during buffer reallocation in the usb_class_request_get_descriptor() function. When an oversized descriptor is encountered, the function frees the existing hid_device->ctrl_xfer buffer and allocates a new, larger buffer. The vulnerability arises because a local pointer variable retains the address of the freed buffer and is subsequently dereferenced, leading to undefined behavior and potential code execution.

Attack Vector

The attack requires physical access to the target device's USB port. An attacker must connect a specially crafted malicious USB HID device that advertises an oversized Report Descriptor. The attack sequence is as follows:

  1. Attacker connects a malicious USB HID device to the target ESP32-based system
  2. The device enumerates and advertises a HID descriptor with a crafted oversized length
  3. The vulnerable driver attempts to retrieve the descriptor, triggering the buffer reallocation
  4. The stale pointer is used after the original buffer is freed
  5. Attacker-controlled data in the freed memory region is accessed, potentially leading to code execution

The security fix introduces proper bounds checking and handling for descriptor sizes:

c
// We are allowing realloc ctrl_xfer buffer, so max report desc size is limited by sane value
// based on very large, exotic devices: can go into the low kilobytes
#define HID_MIN_REPORT_DESC_LEN     512u
#define HID_MAX_REPORT_DESC_LEN     2048u

// HID spinlock
static portMUX_TYPE hid_lock = portMUX_INITIALIZER_UNLOCKED;
#define HID_ENTER_CRITICAL()    portENTER_CRITICAL(&hid_lock)

Source: GitHub Commit Changes

Detection Methods for CVE-2025-68656

Indicators of Compromise

  • Unexpected system crashes or reboots when connecting USB HID devices
  • Memory corruption errors or exceptions originating from the HID host driver
  • Unusual USB device enumeration activity with devices reporting abnormally large descriptor sizes
  • Debug logs showing descriptor length values exceeding typical HID device ranges (>2048 bytes)

Detection Strategies

  • Monitor USB enumeration events for HID devices with anomalously large Report Descriptor lengths
  • Implement runtime memory protection mechanisms to detect use-after-free conditions
  • Review system logs for crashes or exceptions within the usb_host_hid component
  • Deploy endpoint detection solutions capable of monitoring embedded device behavior

Monitoring Recommendations

  • Enable verbose logging for USB host operations to capture descriptor negotiation details
  • Implement physical security controls for USB ports on sensitive embedded devices
  • Use memory debugging tools during development to identify use-after-free patterns
  • Monitor for firmware integrity changes that could indicate post-exploitation persistence

How to Mitigate CVE-2025-68656

Immediate Actions Required

  • Update the ESP-IDF USB Host HID Driver to version 1.1.0 or later immediately
  • Disable or physically secure USB ports on production devices where possible
  • Audit all deployed ESP32-based devices for vulnerable driver versions
  • Implement USB device whitelisting to restrict unauthorized HID device connections

Patch Information

The vulnerability is fixed in version 1.1.0 of the Espressif USB Host HID component. The patch introduces proper bounds checking with defined minimum and maximum Report Descriptor lengths (HID_MIN_REPORT_DESC_LEN of 512 bytes and HID_MAX_REPORT_DESC_LEN of 2048 bytes), preventing the dangerous reallocation scenario. Organizations should update to the patched version using the ESP-IDF component manager or by applying the commit 81b37c96593c0bec92ef14c6ee6bf8cab8d8f660 from the esp-usb repository.

For detailed patch information, see the Espressif USB Host HID Changelog and GitHub Security Advisory GHSA-2pm2-62mr-c9x7.

Workarounds

  • Implement physical access controls to prevent unauthorized USB device connections
  • Disable USB host functionality if HID device support is not required for the application
  • Deploy USB port blockers or locks on production devices
  • Consider implementing custom USB device authentication before descriptor processing
bash
# Update ESP-IDF USB Host HID component to patched version
idf.py add-dependency "espressif/usb_host_hid>=1.1.0"

# Verify installed component version
idf.py show-components | grep usb_host_hid

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechEsp32
  • SeverityMEDIUM
  • CVSS Score6.8
  • EPSS Probability0.02%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-416
  • Technical References
  • Espressif USB Host HID Changelog
  • GitHub Commit Changes
  • GitHub Security Advisory GHSA-2pm2-62mr-c9x7
  • Related CVEs
  • CVE-2026-25532: ESP-IDF Buffer Overflow Vulnerability
  • CVE-2026-25508: ESP-IDF Buffer Overflow Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English