Home > Vulnerability Database > CVE-2025-68656

Mend.io Vulnerability Database

CVE-2025-68656

Good to know:

Date: January 12, 2026

Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is requested but continues to use the stale local pointer, leading to an immediate use-after-free when processing attacker-controlled Report Descriptor lengths. This vulnerability is fixed in 1.1.0.

Severity Score

6.8

Related Resources (5)

Url: https://github.com/espressif/esp-usb/security/advisories/GHSA-2pm2-62mr-c9x7

Url: https://github.com/espressif/esp-usb/commit/81b37c96593c0bec92ef14c6ee6bf8cab8d8f660

Url: https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-68656

Url: https://www.mend.io/vulnerability-database/CVE-2025-68656

Severity Score

6.8

Weakness Type (CWE)

Use After Free

CWE-416

CVSS v3.1

Base Score:	6.8
Attack Vector (AV):	PHYSICAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-68656

Good to know:

Date: January 12, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?