CVE-2025-68657

{"id": "CVE-2025-68657", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-68657", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-01-12T18:40:17.159910Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.5}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "espressif", "product": "esp-usb", "versions": [{"status": "affected", "version": "< 1.1.0"}]}]}], "published": "2026-01-12T18:15:48.610", "references": [{"url": "https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/espressif/esp-usb/commit/cd28106e9f72ac2719682c06f94601f9f034390b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfv", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-415"}, {"lang": "en", "value": "CWE-667"}]}], "descriptions": [{"lang": "en", "value": "Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0."}, {"lang": "es", "value": "El controlador Espressif ESP-IDF USB Host HID (dispositivo de interfaz humana) permite el acceso a dispositivos HID. Antes de la versi\u00f3n 1.1.0, las llamadas a hid_host_device_close() pueden liberar la misma usb_transfer_t dos veces. La devoluci\u00f3n de llamada de eventos USB y el c\u00f3digo de usuario comparten el estado de hid_iface_t sin bloqueo, por lo que ambos pueden desmantelar una interfaz READY simult\u00e1neamente, corrompiendo los metadatos del heap dentro de la pila de host USB de ESP. Esta vulnerabilidad se corrige en la versi\u00f3n 1.1.0."}], "lastModified": "2026-06-17T09:59:23.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:espressif:usb_host_hid_driver:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "139CC02D-BC53-4537-B250-9AD6B260F309", "versionEndExcluding": "1.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}