Vulnerability DatabaseCVE-2025-68657
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-68657
January 12, 2026
Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0.
Related ResourcesĀ (3)
https://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfv
https://github.com/espressif/esp-usb/commit/cd28106e9f72ac2719682c06f94601f9f034390b
https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.4
Attack Vector
PHYSICAL
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.4
Attack Vector
PHYSICAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Locking
CWE-667
Double Free
CWE-415
EPSS
Base Score:
0.02