Home > Vulnerability Database > CVE-2025-68657

Mend.io Vulnerability Database

CVE-2025-68657

Good to know:

Date: January 12, 2026

Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0.

Severity Score

6.4

Related Resources (5)

Url: https://github.com/espressif/esp-usb/commit/cd28106e9f72ac2719682c06f94601f9f034390b

Url: https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-68657

Url: https://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfv

Url: https://www.mend.io/vulnerability-database/CVE-2025-68657

Severity Score

6.4

Weakness Type (CWE)

Double Free

CWE-415

Improper Locking

CWE-667

CVSS v3.1

Base Score:	6.4
Attack Vector (AV):	PHYSICAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-68657

Good to know:

Date: January 12, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?