Description

Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0.

INFO

Published Date :

2026-01-12T17:26:51.106Z

Last Modified :

2026-01-12T18:40:25.838Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-68657 vulnerability.

Vendors Products
Espressif
  • Esp-usb
  • Usb Host Hid Driver
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-68657.

URL Resource
https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog cve-icon cve-icon
https://github.com/espressif/esp-usb/commit/cd28106e9f72ac2719682c06f94601f9f034390b cve-icon cve-icon
https://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfv cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact