CVE-2025-68657
Double Free Heap Corruption in Espressif ESP-IDF USB Host HID
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| espressif | usb_host_hid | to 1.1.0 (exc) |
| espressif | usb_host_hid | 1.1.0 |
| espressif | esp-usb | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-667 | The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. |
| CWE-415 | The product calls free() twice on the same memory address. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a race condition in the Espressif ESP-IDF USB Host HID driver, specifically in the function hid_host_device_close(). Prior to version 1.1.0, concurrent calls to this function could cause the same usb_transfer_t memory to be freed twice due to lack of proper synchronization. The USB event callback and user code share the hid_iface_t state without locking, allowing both to simultaneously tear down a READY interface. This leads to heap metadata corruption inside the ESP USB host stack, potentially causing crashes or memory corruption. [2, 3]
How can this vulnerability impact me? :
This vulnerability can cause double-free and use-after-free conditions in the host process, which may allow a malicious HID device to crash the host system or manipulate heap metadata. Exploiting this requires extremely precise timing due to existing serialization mechanisms, making practical exploitation difficult without additional flaws. However, if exploited, it can impact system stability and security by causing memory corruption and potential denial of service. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a race condition in the Espressif ESP-IDF USB Host HID driver that occurs during concurrent calls to hid_host_device_close(), leading to double-free and heap corruption. Detection involves monitoring for crashes, heap corruption, or unusual USB HID device disconnect behavior. Since the vulnerability window is extremely narrow and timing-dependent, direct detection via commands is challenging. However, you can check the version of the usb_host_hid driver installed on your system to ensure it is version 1.1.0 or later, which includes the fix. For Espressif ESP-IDF, you can verify the version of the usb_host_hid component in your build environment or firmware. Specific commands to detect the vulnerability are not provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Espressif ESP-IDF usb_host_hid driver to version 1.1.0 or later, where the vulnerability is fixed. This version introduces a mutex to serialize open and close operations on HID devices, preventing the race condition and double-free issues. Additionally, ensure that your system is not running vulnerable versions (1.0.4 or earlier) of the usb_host_hid component. Applying the update will prevent concurrent device close operations from corrupting heap metadata and eliminate the risk of crashes or exploitation. [1, 2, 3]