CVE-2026-47104: libusb Out-of-Bounds Read DoS Vulnerability

CVE-2026-47104 Overview

CVE-2026-47104 is a one-byte out-of-bounds read vulnerability in libusb versions prior to 1.0.30. The flaw resides in the parse_iad_array() function within descriptor.c. When parsing a malformed USB descriptor whose bLength equals size minus one, the bounds check incorrectly references the original buffer size instead of the remaining size. An attacker supplying crafted descriptors through libusb_get_active_interface_association_descriptors or libusb_get_interface_association_descriptors can read one byte past the end of the malloc allocation. The condition produces a denial of service in applications linked against the vulnerable library, with virtualized environments using USB passthrough as a primary exposure path.

Critical Impact

Local attackers can trigger denial of service in applications using libusb by passing crafted USB descriptors, particularly impactful in virtualization platforms exposing USB devices to guests.

Affected Products

• libusb versions prior to 1.0.30
• Applications and services linked against vulnerable libusb builds
• Virtualization platforms relying on libusb for USB passthrough

Discovery Timeline

• 2026-05-27 - CVE-2026-47104 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-47104

Vulnerability Analysis

The vulnerability is classified as an Out-of-Bounds Read [CWE-125] and affects the descriptor parsing logic in libusb. The parse_iad_array() function in descriptor.c validates the bLength field of an Interface Association Descriptor (IAD) against the wrong size variable. When bLength equals size - 1, the function compares against the original buffer length rather than the remaining unparsed bytes. The parser advances past valid boundaries and reads a single byte beyond the allocated heap region returned by malloc. The consequence is process termination or undefined behavior in the calling application, producing a denial of service in any consumer of the affected APIs.

Root Cause

The root cause is an incorrect bounds variable inside parse_iad_array(). The check uses the initial buffer size constant rather than tracking the decremented remaining size as parsing progresses through descriptor structures. This off-by-one logic flaw permits the function to access one byte beyond the heap allocation when the supplied bLength is crafted to equal the original size minus one. The upstream fix in the GitHub commit 578ab76 corrects the size accounting in the bounds comparison.

Attack Vector

Exploitation requires local access or the ability to deliver crafted USB descriptors to an application using libusb. In virtualized environments with USB passthrough, a guest can present a malicious virtual USB device whose descriptors reach the host parser. Applications calling libusb_get_active_interface_association_descriptors or libusb_get_interface_association_descriptors against attacker-controlled descriptors trigger the one-byte read past the allocation. The result is a denial of service against the application or the host service mediating USB access. Confidentiality and integrity are not affected per the CVSS 4.0 vector. Refer to the Vulncheck advisory for additional technical context.

Detection Methods for CVE-2026-47104

Indicators of Compromise

• Unexpected crashes or aborts in processes linking libusb.so when handling USB devices
• Repeated attachment of unfamiliar USB devices in virtualization hosts immediately preceding service failures
• AddressSanitizer or kernel logs reporting heap-buffer-overflow reads in parse_iad_array

Detection Strategies

• Inventory installed libusb versions across Linux endpoints, servers, and hypervisor hosts to identify builds older than 1.0.30
• Audit virtualization platforms (QEMU/KVM, VirtualBox) for USB passthrough configurations exposing host libusb to guests
• Run fuzzed descriptor samples against test workloads in non-production environments to confirm parser hardening after patching

Monitoring Recommendations

• Monitor process crash telemetry and core dumps from services that enumerate USB devices
• Alert on abnormal USB device attach events on multi-tenant hypervisors or shared workstations
• Track package manager update events to confirm libusb upgrades reach all affected hosts

How to Mitigate CVE-2026-47104

Immediate Actions Required

• Upgrade libusb to version 1.0.30 or later on all systems, referencing the v1.0.30 release notes
• Restart applications and services dynamically linked against libusb after patching to load the fixed library
• Disable USB passthrough on virtualization hosts where guests are untrusted until the host library is patched

Patch Information

The fix is committed upstream in libusb commit 578ab76b and shipped in the v1.0.30 release. Distribution-provided packages should be applied through the standard package manager once vendors publish updated builds. Background and discussion are tracked in libusb issue #1813 and pull request #1814.

Workarounds

• Restrict physical and virtual USB access to trusted devices only on systems running unpatched libusb
• Remove or disable USB passthrough configurations in hypervisors until the patched library is deployed
• Apply USB device filtering policies (udev rules, hypervisor allowlists) to block unknown vendor/product IDs

# Configuration example - verify installed libusb version on Linux
dpkg -l | grep libusb         # Debian/Ubuntu
rpm -qa | grep libusb         # RHEL/Fedora
ldconfig -p | grep libusb-1.0 # Confirm runtime library path

# Upgrade via package manager
sudo apt-get update && sudo apt-get install --only-upgrade libusb-1.0-0