CVE-2025-68657
Unknown Unknown - Not Provided
Double Free Heap Corruption in Espressif ESP-IDF USB Host HID

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: GitHub, Inc.

Description
Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68657
EUVD
EUVD-2025-206281
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
espressif usb_host_hid to 1.1.0 (exc)
espressif usb_host_hid 1.1.0
espressif esp-usb *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a race condition in the Espressif ESP-IDF USB Host HID driver, specifically in the function hid_host_device_close(). Prior to version 1.1.0, concurrent calls to this function could cause the same usb_transfer_t memory to be freed twice due to lack of proper synchronization. The USB event callback and user code share the hid_iface_t state without locking, allowing both to simultaneously tear down a READY interface. This leads to heap metadata corruption inside the ESP USB host stack, potentially causing crashes or memory corruption. [2, 3]

Impact Analysis

This vulnerability can cause double-free and use-after-free conditions in the host process, which may allow a malicious HID device to crash the host system or manipulate heap metadata. Exploiting this requires extremely precise timing due to existing serialization mechanisms, making practical exploitation difficult without additional flaws. However, if exploited, it can impact system stability and security by causing memory corruption and potential denial of service. [3]

Detection Guidance

This vulnerability is a race condition in the Espressif ESP-IDF USB Host HID driver that occurs during concurrent calls to hid_host_device_close(), leading to double-free and heap corruption. Detection involves monitoring for crashes, heap corruption, or unusual USB HID device disconnect behavior. Since the vulnerability window is extremely narrow and timing-dependent, direct detection via commands is challenging. However, you can check the version of the usb_host_hid driver installed on your system to ensure it is version 1.1.0 or later, which includes the fix. For Espressif ESP-IDF, you can verify the version of the usb_host_hid component in your build environment or firmware. Specific commands to detect the vulnerability are not provided in the resources. [2, 3]

Mitigation Strategies

The immediate mitigation step is to upgrade the Espressif ESP-IDF usb_host_hid driver to version 1.1.0 or later, where the vulnerability is fixed. This version introduces a mutex to serialize open and close operations on HID devices, preventing the race condition and double-free issues. Additionally, ensure that your system is not running vulnerable versions (1.0.4 or earlier) of the usb_host_hid component. Applying the update will prevent concurrent device close operations from corrupting heap metadata and eliminate the risk of crashes or exploitation. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68657. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart