QwikSec

Security Database

CVE

CWE

Training

CVE-2025-68657

Published: Jan 12, 2026

Modified: Jan 12, 2026

PUBLISHED

CVSS v3.1

6.4

MEDIUM

Description

Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0.

Vendor	Product	Versions
espressif	esp-usb	affected `< 1.1.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Physical

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfv

x_refsource_CONFIRM

https://github.com/espressif/esp-usb/commit/cd28106e9f72ac2719682c06f94601f9f034390b

x_refsource_MISC

https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.