CVE-2025-68622 in esp-usb
Summary
by MITRE • 01/12/2026
Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) device to trigger a stack buffer overflow during configuration-descriptor parsing. When UVC configuration-descriptor printing is enabled, the host prints detailed descriptor information provided by the connected USB device. A specially crafted UVC descriptor may advertise an excessively large length. Because this value is not validated before being copied into a fixed-size stack buffer, an attacker can overflow the buffer and corrupt memory. This vulnerability is fixed in 2.4.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/13/2026
The vulnerability identified as CVE-2025-68622 resides within the Espressif ESP-IDF USB Host UVC Class Driver implementation, specifically affecting versions prior to 2.4.0. This flaw manifests in the esp-usb UVC host component responsible for facilitating video streaming from USB cameras through the ESP-IDF framework. The vulnerability stems from inadequate input validation during the parsing of USB configuration descriptors, creating a critical security gap that can be exploited by malicious USB devices. The affected system operates within embedded environments where USB host functionality is essential for camera integration and video processing applications.
The technical implementation of this vulnerability involves a classic stack buffer overflow condition that occurs when processing USB configuration descriptors. During normal operation, the UVC host driver prints detailed descriptor information when enabled, which includes parsing and displaying various descriptor fields from connected USB devices. The flaw arises because the driver does not validate the length field contained within the UVC descriptor structure before using it to copy data into a fixed-size stack buffer. When a malicious USB device crafts a descriptor with an excessively large length value, this unvalidated data is directly copied into the stack buffer without bounds checking, resulting in memory corruption that can lead to arbitrary code execution or system instability. This vulnerability directly maps to CWE-121 Stack-based Buffer Overflow, which is categorized under the broader category of buffer overflow vulnerabilities that compromise memory integrity.
The operational impact of this vulnerability extends beyond simple system crashes or instability, as it creates a potential attack surface for malicious USB devices to compromise embedded systems running ESP-IDF firmware. Attackers can exploit this weakness by connecting a specially crafted USB camera that presents malformed UVC descriptors with oversized length fields, enabling them to overwrite adjacent stack memory locations. This memory corruption can potentially allow attackers to execute arbitrary code with the privileges of the USB host driver, leading to complete system compromise or denial of service conditions. The vulnerability is particularly concerning in embedded systems where USB connectivity is common and where the system may be exposed to untrusted USB devices, making it a significant risk for IoT devices, embedded video systems, and any application relying on USB camera integration.
Mitigation strategies for CVE-2025-68622 primarily focus on upgrading to the patched version 2.4.0 of the ESP-IDF framework, which implements proper validation of descriptor length fields before buffer operations. Organizations should conduct immediate firmware updates across all affected systems to prevent exploitation. Additionally, system administrators can implement USB device whitelisting policies to restrict connections to trusted devices only, and disable UVC descriptor printing functionality when not required for debugging purposes. The implementation of runtime protections such as stack canaries and address space layout randomization can provide additional defense-in-depth measures. From an operational security perspective, organizations should review their USB device management policies and ensure that USB host functionality is only enabled when necessary for system operation, aligning with the principle of least privilege as recommended in the MITRE ATT&CK framework for USB device manipulation techniques.