HID Driver Vulnerability in Espressif ESP-IDF Products
CVE-2025-68657

6.4MEDIUM

Key Information:

Vendor

Espressif

Status
Esp-usb
Vendor
CVE Published:
12 January 2026

What is CVE-2025-68657?

The Espressif ESP-IDF USB Host HID Driver prior to version 1.1.0 is susceptible to a vulnerability in which simultaneous calls to the hid_host_device_close() function can cause the same usb_transfer_t structure to be freed multiple times. This occurs due to a lack of locking when shared between the USB event callback and user code, allowing both to disrupt a READY interface concurrently. This may lead to heap metadata corruption within the ESP USB host stack, potentially impacting device stability and security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

esp-usb < 1.1.0

References

https://github.com/espressif/esp-usb/security/advisories/...
x_refsource_CONFIRM
https://github.com/espressif/esp-usb/commit/cd28106e9f72a...
x_refsource_MISC
https://components.espressif.com/components/espressif/usb...
x_refsource_MISC

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.