Description
libusb before version 1.0.30 contains a NULL pointer dereference vulnerability that allows attackers to crash applications by supplying a malformed USB configuration descriptor where an interface claims bNumEndpoints greater than zero but is followed by a class-specific descriptor whose bLength exceeds the remaining buffer size, causing parse_interface() to return early without allocating the endpoint array. Attackers can exploit this flaw through libusb_get_active_config_descriptor or libusb_get_config_descriptor by providing crafted descriptors via virtualized USB passthrough, file-based descriptor parsing, or network sources, causing any application iterating over endpoints to dereference a NULL endpoint pointer and crash.
Published: 2026-05-27
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a NULL pointer dereference in the parse_interface() function of libusb. It occurs when a USB configuration descriptor contains an interface that claims one or more endpoints but is followed by a class‑specific descriptor whose length exceeds the remaining buffer length. The function returns early without allocating the endpoint array, leaving a NULL endpoint pointer that applications will dereference, causing a crash. The weakness is identified as CWE‑125, a buffer overread scenario. No evidence in the description indicates arbitrary code execution; the main impact is to terminate the application, which can degrade service availability.

Affected Systems

Any software that links against libusb versions earlier than 1.0.30 on any operating system is potentially affected. This includes devices or applications that query USB descriptors through libusb_get_active_config_descriptor or libusb_get_config_descriptor, especially those that accept descriptors from untrusted virtualized USB passthrough, file-based sources, or network streams.

Risk and Exploitability

The CVSS score of 6.9 classifies the issue as a moderate risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. Likely attack vectors require an attacker to supply a malformed USB descriptor to the library, which could be done via virtual USB passthrough in virtualized environments or by feeding crafted descriptors through network interfaces that are parsed by applications using libusb. Because the flaw only causes a crash and not code execution, the primary threat is to availability rather than confidentiality or integrity.

Generated by OpenCVE AI on May 27, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libusb to version 1.0.30 or later, which includes the fix for the NULL pointer dereference bug.
  • If an upgrade is not immediately possible, limit usage of libusb_get_active_config_descriptor and libusb_get_config_descriptor to trusted sources only and validate descriptor sizes before passing them to libusb to prevent the early return path from creating NULL endpoints.
  • In virtualized or networked environments, disable or isolate USB passthrough capabilities that could provide untrusted descriptors to applications, or apply sandboxing to isolate applications that use libusb.

Generated by OpenCVE AI on May 27, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Libusb
Libusb libusb
Vendors & Products Libusb
Libusb libusb

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description libusb before version 1.0.30 contains a NULL pointer dereference vulnerability that allows attackers to crash applications by supplying a malformed USB configuration descriptor where an interface claims bNumEndpoints greater than zero but is followed by a class-specific descriptor whose bLength exceeds the remaining buffer size, causing parse_interface() to return early without allocating the endpoint array. Attackers can exploit this flaw through libusb_get_active_config_descriptor or libusb_get_config_descriptor by providing crafted descriptors via virtualized USB passthrough, file-based descriptor parsing, or network sources, causing any application iterating over endpoints to dereference a NULL endpoint pointer and crash.
Title libusb < 1.0.30 NULL Pointer Dereference in parse_interface()
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Libusb Libusb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-27T13:21:37.035Z

Reserved: 2026-01-14T17:13:44.903Z

Link: CVE-2026-23679

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T14:16:44.170

Modified: 2026-05-27T14:16:44.170

Link: CVE-2026-23679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T16:30:36Z

Weaknesses