CVE-2025-68656
Use-After-Free in Espressif ESP-IDF USB Host HID Driver
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| espressif | usb_host_hid | to 1.1.0 (exc) |
| espressif | usb_host_hid | 1.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68656 is a use-after-free vulnerability in the Espressif ESP-IDF USB Host HID driver. It occurs when the function usb_class_request_get_descriptor() handles an attacker-controlled oversized HID Report Descriptor. The function frees and reallocates a buffer (hid_device->ctrl_xfer) to accommodate the larger descriptor but mistakenly continues to use the original freed pointer, causing immediate use-after-free. This leads to memory corruption by overwriting freed heap memory, which can be exploited to cause crashes or potentially execute arbitrary code on the host system. The issue is fixed in version 1.1.0 by adding size limits, safe buffer reallocation, and improved error handling. [2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary memory corruption within the USB host task, potentially causing system crashes, instability, or denial of service. An attacker controlling a malicious USB HID device can exploit this flaw to overwrite freed heap memory, which may allow them to manipulate critical memory allocator structures. This could escalate to arbitrary code execution on the host device, compromising confidentiality, integrity, and availability of the system. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-68656, immediately update the Espressif ESP-IDF USB Host HID driver to version 1.1.0 or later, which contains the fix for the use-after-free vulnerability. The update includes limiting the HID report descriptor size to a maximum of 2048 bytes, safe reallocation of control transfer buffers, and improved error handling to prevent memory corruption. Avoid using vulnerable versions (1.0.4 and earlier). Additionally, ensure that your system does not accept oversized HID report descriptors from USB devices and monitor for any unusual USB device behavior. [1, 2, 3]