CVE-2025-68657 – This CVE describes a double-free vulnerability ... (How to Fix)

Q: What is the severity of CVE-2025-68657?

CVE-2025-68657 has a CVSS score of 6.4 (MEDIUM). This CVE describes a double-free vulnerability in Espressif ESP-IDF USB Host HID Driver that can corrupt heap metadata. Attackers could potentially crash devices or execute arbitrary code by exploiting the race condition between USB event callbacks and user code. This affects any ESP32-based devices using USB Host HID functionality with ESP-IDF versions before 1.1.0.

📋 TL;DR

This CVE describes a double-free vulnerability in Espressif ESP-IDF USB Host HID Driver that can corrupt heap metadata. Attackers could potentially crash devices or execute arbitrary code by exploiting the race condition between USB event callbacks and user code. This affects any ESP32-based devices using USB Host HID functionality with ESP-IDF versions before 1.1.0.

💻 Affected Systems

Products:

Espressif ESP-IDF USB Host HID Driver

Versions: All versions prior to 1.1.0

Operating Systems: ESP-IDF (Espressif IoT Development Framework)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using USB Host HID functionality. ESP32, ESP32-S2, ESP32-S3, ESP32-C3, and ESP32-C6 devices are potentially affected when using USB host mode.

📦 What is this software?

Usb Host Hid Driver by Espressif

View all CVEs affecting Usb Host Hid Driver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data exfiltration, or persistent backdoor installation.

🟠

Likely Case

Device crash or denial of service through heap corruption, potentially requiring physical reset.

🟢

If Mitigated

Limited impact with proper network segmentation and device isolation.

🌐 Internet-Facing: MEDIUM - Requires USB device interaction but could be exploited via malicious USB peripherals or network-connected USB devices.

🏢 Internal Only: MEDIUM - Internal attackers with physical access or network access to USB-connected devices could exploit this.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires race condition timing and USB device interaction. No public exploits known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.0

Vendor Advisory: https://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfv

Restart Required: Yes

Instructions:

1. Update ESP-IDF to latest version. 2. Update usb_host_hid component to version 1.1.0 or later. 3. Recompile and flash firmware to affected devices. 4. Restart devices to apply new firmware.

🔧 Temporary Workarounds

Disable USB Host HID functionality

all

Remove or disable USB Host HID driver if not required for device functionality.

Modify sdkconfig to disable CONFIG_USB_HOST_HID
Remove usb_host_hid component from project

Implement application-level locking

all

Add mutex protection around hid_host_device_close() calls in application code.

Add pthread_mutex_lock/unlock or similar around hid_host_device_close() calls

🧯 If You Can't Patch

Isolate affected devices on separate network segments
Implement strict USB device whitelisting and monitoring

🔍 How to Verify

Check if Vulnerable:

Check ESP-IDF version and usb_host_hid component version in sdkconfig or component.mk files.

Check Version:

idf.py --version && grep -r "usb_host_hid" components/ idf_component.yml

Verify Fix Applied:

Verify usb_host_hid component version is 1.1.0 or higher in idf_component.yml or component registry.

📡 Detection & Monitoring

Log Indicators:

Heap corruption errors
USB stack crashes
Double-free detection messages

Network Indicators:

Unexpected device reboots
USB device enumeration failures

SIEM Query:

device_logs: ("heap corruption" OR "double free" OR "usb_host_hid") AND device_type:esp32

📊 Metadata

CVE ID: CVE-2025-68657

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-415

EPSS Score: 0.02% exploit probability (5.2th percentile)

Published: January 12, 2026

Last Updated: January 22, 2026

🔗 References

https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog Release Notes
https://github.com/espressif/esp-usb/commit/cd28106e9f72ac2719682c06f94601f9f034390b Patch
https://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfv Vendor Advisory,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68657, you might also want to check these: