CVE-2026-23679
Modified Modified - Updated After Analysis
NULL Pointer Dereference in libusb USB Descriptor Parsing

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: VulnCheck

Description
libusb before version 1.0.30 contains a NULL pointer dereference vulnerability that allows attackers to crash applications by supplying a malformed USB configuration descriptor where an interface claims bNumEndpoints greater than zero but is followed by a class-specific descriptor whose bLength exceeds the remaining buffer size, causing parse_interface() to return early without allocating the endpoint array. Attackers can exploit this flaw through libusb_get_active_config_descriptor or libusb_get_config_descriptor by providing crafted descriptors via virtualized USB passthrough, file-based descriptor parsing, or network sources, causing any application iterating over endpoints to dereference a NULL endpoint pointer and crash.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23679
EUVD
EUVD-2026-32502
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libusb libusb to 1.0.30 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in libusb versions before 1.0.30 in the parse_interface() function. It occurs when a malformed USB configuration descriptor is provided where an interface claims to have a positive number of endpoints (bNumEndpoints > 0) but is followed by a class-specific descriptor whose length exceeds the remaining buffer size. This causes parse_interface() to return early without allocating the endpoint array, leaving the endpoint pointer as NULL despite bNumEndpoints being greater than zero.

As a result, any application that iterates over the endpoints and dereferences this NULL pointer will crash. Attackers can exploit this by supplying crafted USB descriptors through virtualized USB passthrough, file-based descriptor parsing, or network sources.

Impact Analysis

The primary impact of this vulnerability is that it allows attackers to cause a denial-of-service (DoS) condition by crashing applications that use libusb to parse USB configuration descriptors. When an application attempts to access the endpoints of a malformed descriptor, it dereferences a NULL pointer, leading to a crash.

This can disrupt normal operation of software relying on libusb, potentially affecting device communication or other USB-related functionality.

Detection Guidance

This vulnerability is triggered by malformed USB configuration descriptors provided by attached devices or via virtualized USB passthrough, file-based descriptor parsing, or network sources. Detection involves identifying applications that crash due to NULL pointer dereferences when processing USB descriptors.

Since the issue occurs in the parse_interface() function of libusb when handling USB descriptors, monitoring application crashes related to USB device enumeration or descriptor parsing can help detect exploitation attempts.

No specific detection commands are provided in the available resources. However, fuzzing tools targeting libusb's descriptor parsers, such as the fuzz_descriptor_parsers.c fuzzer added in the libusb project, can be used by developers or security researchers to identify malformed descriptors causing crashes.

Mitigation Strategies

The primary mitigation step is to upgrade libusb to version 1.0.30 or later, where the vulnerability has been fixed.

The fix resets the bNumEndpoints field to zero before returning in the parse_interface() function to prevent NULL pointer dereferences, and corrects buffer length checks in parse_iad_array() to avoid out-of-bounds reads.

Until upgrading, avoid using untrusted or potentially malicious USB devices or virtualized USB passthrough sources that could supply malformed descriptors.

Compliance Impact

The provided information does not include any details on how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23679. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart