Use-After-Free Vulnerability in Espressif ESP-IDF USB Host HID Driver
CVE-2025-68656

6.8MEDIUM

Key Information:

Vendor

Espressif

Status
Esp-usb
Vendor
CVE Published:
12 January 2026

What is CVE-2025-68656?

The Espressif ESP-IDF USB Host HID Driver prior to version 1.1.0 contains a use-after-free vulnerability. This occurs during the handling of oversized Report Descriptor requests where the system frees and reallocates the control transfer pointer but continues to utilize a stale pointer, resulting in potential exploitation by malicious actors. For enhanced security, it is crucial to upgrade to version 1.1.0 or later, which addresses this critical issue.

Affected Version(s)

esp-usb < 1.1.0

References

https://github.com/espressif/esp-usb/security/advisories/...
x_refsource_CONFIRM
https://github.com/espressif/esp-usb/commit/81b37c96593c0...
x_refsource_MISC
https://components.espressif.com/components/espressif/usb...
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.