CVE-2025-68656 – This CVE describes a use-after-free vulnerabili... (How to Fix)

📋 TL;DR

This CVE describes a use-after-free vulnerability in Espressif ESP-IDF USB Host HID Driver. Attackers can trigger memory corruption by sending oversized HID Report Descriptor requests, potentially leading to arbitrary code execution or system crashes. This affects any ESP32-based devices using ESP-IDF USB Host HID Driver versions before 1.1.0.

💻 Affected Systems

Products:

Espressif ESP-IDF USB Host HID Driver

Versions: All versions prior to 1.1.0

Operating Systems: ESP-IDF (Espressif IoT Development Framework)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using USB Host HID functionality; requires attacker to send malicious USB HID requests

📦 What is this software?

Usb Host Hid Driver by Espressif

View all CVEs affecting Usb Host Hid Driver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data exfiltration, or persistent backdoor installation

🟠

Likely Case

Device crash/reboot causing denial of service, potentially leading to memory corruption that could be leveraged for limited code execution

🟢

If Mitigated

Device remains stable with no security impact if patched or workarounds applied

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires physical USB access or compromised USB device; no public exploit code available

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.0

Vendor Advisory: https://github.com/espressif/esp-usb/security/advisories/GHSA-2pm2-62mr-c9x7

Restart Required: Yes

Instructions:

1. Update ESP-IDF USB Host HID component to version 1.1.0 or later
2. Rebuild and flash firmware to affected devices
3. Verify the fix by checking component version

🔧 Temporary Workarounds

Disable USB Host HID functionality

all

Remove or disable USB Host HID driver if not required

Modify sdkconfig to disable CONFIG_USB_HOST_HID

Implement USB device whitelisting

all

Restrict USB device connections to trusted devices only

🧯 If You Can't Patch

Physically secure USB ports or use USB port locks
Implement network segmentation to isolate vulnerable devices

🔍 How to Verify

Check if Vulnerable:

Check ESP-IDF USB Host HID component version; versions <1.1.0 are vulnerable

Check Version:

idf.py --version | grep usb_host_hid

Verify Fix Applied:

Verify component version is 1.1.0 or higher in idf_component.yml or component.mk

📡 Detection & Monitoring

Log Indicators:

USB HID descriptor request failures
Memory allocation errors
System crashes/reboots after USB connection

Network Indicators:

Unusual USB device enumeration patterns if monitored

SIEM Query:

device_logs WHERE message CONTAINS 'usb_host_hid' AND (message CONTAINS 'descriptor' OR message CONTAINS 'memory')

📊 Metadata

CVE ID: CVE-2025-68656

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.02% exploit probability (6th percentile)

Published: January 12, 2026

Last Updated: January 22, 2026

🔗 References

https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog Release Notes
https://github.com/espressif/esp-usb/commit/81b37c96593c0bec92ef14c6ee6bf8cab8d8f660 Patch
https://github.com/espressif/esp-usb/security/advisories/GHSA-2pm2-62mr-c9x7 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68656, you might also want to check these: