216.73.217.98

CVE-2025-68656

· Published 12/01/2026 18:15 · Modified 13/01/2026 14:03

Labels: CVE-2025-68656 2026-01-12CVE-2025-68656CWE-416[email protected]

Essential information

Published
12/01/2026 18:15
Modified
13/01/2026 14:03
Author
Creator
CVSS
6.8 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is requested but continues to use the stale local pointer, leading to an immediate use-after-free when processing attacker-controlled Report Descriptor lengths. This vulnerability is fixed in 1.1.0.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
espressif / esp-idf cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*
espressif / usb host hid driver cpe:2.3:a:espressif:usb_host_hid_driver:<1.1.0:*:*:*:*:*:*:*

References