CVE-2026-23679 Overview
CVE-2026-23679 is a NULL pointer dereference vulnerability [CWE-125] in libusb versions prior to 1.0.30. The flaw resides in the parse_interface() function, which handles USB configuration descriptors. When an interface declares bNumEndpoints greater than zero but is followed by a class-specific descriptor whose bLength exceeds the remaining buffer, the parser returns early without allocating the endpoint array. Applications iterating over endpoints subsequently dereference a NULL pointer and crash. The flaw is reachable through libusb_get_active_config_descriptor and libusb_get_config_descriptor, and can be triggered via virtualized USB passthrough, file-based descriptor parsing, or network-sourced descriptors.
Critical Impact
Attackers with local access can crash any application that consumes attacker-supplied USB descriptors through libusb, producing a denial-of-service condition against host services.
Affected Products
- libusb versions prior to 1.0.30
- Applications linking against vulnerable libusb builds that parse untrusted USB descriptors
- Virtualization and USB passthrough stacks relying on libusb for descriptor enumeration
Discovery Timeline
- 2026-05-27 - CVE-2026-23679 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-23679
Vulnerability Analysis
The vulnerability exists in libusb's descriptor parsing logic. USB configuration descriptors contain nested interface and endpoint descriptors, with optional class-specific descriptors interleaved between them. The parse_interface() function is responsible for walking this structure, validating each descriptor's length, and allocating an endpoint array sized by bNumEndpoints.
When an interface descriptor announces a non-zero bNumEndpoints but the next class-specific descriptor declares a bLength larger than the buffer space that remains, parse_interface() aborts the walk before reaching the endpoint allocation path. The function returns without setting the endpoint pointer or signaling an error to callers in a way that prevents downstream iteration.
Consumers calling libusb_get_active_config_descriptor or libusb_get_config_descriptor receive a partially populated libusb_interface_descriptor structure. Code that loops from zero to bNumEndpoints then dereferences the NULL endpoint field, crashing the process.
Root Cause
The root cause is inconsistent state between the bNumEndpoints count returned to callers and the actual allocation of the endpoint array. The parser trusts bNumEndpoints as authoritative for iteration but treats malformed class-specific descriptors as a silent termination condition. This mismatch produces a structure whose advertised size does not match its allocated backing memory.
Attack Vector
Exploitation requires the victim application to parse an attacker-controlled USB configuration descriptor. Attack paths include connecting a malicious or emulated USB device to a host running a vulnerable application, supplying crafted descriptor blobs to software that reads descriptors from files, and delivering descriptors over network protocols such as USB/IP. The result is a reliable crash of any process iterating endpoints on the malformed interface. The vulnerability does not provide memory disclosure or code execution primitives; impact is limited to availability.
No verified public exploit code is currently available. Refer to the VulnCheck Security Advisory and the upstream GitHub Issue Discussion for technical detail.
Detection Methods for CVE-2026-23679
Indicators of Compromise
- Unexpected segmentation faults or SIGSEGV core dumps from processes linked against libusb (for example usbd, virt-manager, qemu, container runtimes with USB passthrough).
- Repeated crash-restart cycles of USB-handling daemons immediately after a new USB device attaches or after a USB/IP session is established.
- Crash stack traces containing parse_interface, libusb_get_active_config_descriptor, or libusb_get_config_descriptor frames.
Detection Strategies
- Inventory installed libusb packages across endpoints and servers and flag any version older than 1.0.30.
- Monitor process crash telemetry for repeated terminations of services that consume USB descriptors, correlating with USB device attach events from kernel logs.
- Inspect USB/IP and virtualization audit trails for configuration descriptors where an interface's bNumEndpoints is non-zero but is followed by class-specific descriptors with an oversized bLength field.
Monitoring Recommendations
- Forward dmesg, udev, and application crash logs to a centralized analytics platform and alert on libusb-linked process terminations.
- Track USB device attach events on multi-tenant virtualization hosts and correlate with downstream service availability.
- Baseline normal USB descriptor structures in environments that ingest descriptors from files or network sources, and alert on length-field anomalies.
How to Mitigate CVE-2026-23679
Immediate Actions Required
- Upgrade libusb to version 1.0.30 or later across all hosts, containers, and base images.
- Rebuild or repackage any statically linked applications that bundle a vulnerable libusb copy.
- Restrict USB passthrough and USB/IP exposure to trusted devices and authenticated endpoints only.
- Disable file-based or network-sourced descriptor parsing in applications where it is not required.
Patch Information
The issue is fixed upstream in libusb release v1.0.30. The corrective change is documented in the GitHub Pull Request and applied in commit 578ab76b. The fix ensures parse_interface() keeps bNumEndpoints consistent with the allocation state of the endpoint array when malformed class-specific descriptors are encountered.
Workarounds
- Where patching is not immediately possible, disconnect untrusted USB devices and disable USB passthrough for guest virtual machines.
- Block or filter USB/IP traffic at the network boundary for hosts that do not require remote USB device sharing.
- Run USB-handling services under supervisors that restart on crash to limit availability impact until the patched libusb is deployed.
# Verify the installed libusb version on Debian/Ubuntu systems
dpkg -l | grep libusb-1.0
# Verify on RPM-based systems
rpm -q libusb1
# Confirm that the runtime library reports version 1.0.30 or later
strings /usr/lib/x86_64-linux-gnu/libusb-1.0.so.0 | grep -i "1.0."
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
