Out-of-Bounds Read Vulnerability in libusb Affects Various Platforms
CVE-2026-47104

5.1MEDIUM

Key Information:

Vendor: Libusb
Status: Libusb
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-47104?

An out-of-bounds read vulnerability has been identified in libusb prior to version 1.0.30, specifically within the parse_iad_array() function in descriptor.c. This flaw permits attackers to exploit malformed USB descriptors that can cause a denial of service. In environments with USB passthrough enabled, such as virtual machines, an attacker can provide crafted descriptors through functions like libusb_get_active_interface_association_descriptors or libusb_get_interface_association_descriptors, leading to a read operation that exceeds the allocated buffer. This could have serious implications for system stability and requires immediate attention to patch the affected libusb versions.

Affected Version(s)

libusb 0

References

https://github.com/libusb/libusb/releases/tag/v1.0.30

release-notes

https://github.com/libusb/libusb/issues/1813

technical-description

https://github.com/libusb/libusb/pull/1814

issue-tracking

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 18, 2026

Credit

@MarkLee131

CVE-2026-47104 Data

JSON

Libusb

What is CVE-2026-47104?

Affected Version(s)

References

CVSS V4

Timeline

Credit