Description
libusb before version 1.0.30 contains a one-byte out-of-bounds read vulnerability in parse_iad_array() in descriptor.c that allows attackers to trigger a denial of service by supplying a malformed USB descriptor whose bLength equals size minus one, causing the bounds check to use the original buffer size instead of the remaining size. Attackers in virtualized environments with USB passthrough can supply crafted descriptors through libusb_get_active_interface_association_descriptors or libusb_get_interface_association_descriptors to read one byte past the end of the malloc allocation, resulting in a denial of service.
Published: 2026-05-27
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a one-byte out‑of‑bounds read in the parse_iad_array() function of libusb prior to version 1.0.30. When a USB descriptor of length one byte shorter than the buffer is supplied, the bounds check incorrectly references the original buffer size, causing libusb to read a byte past the allocated memory. This memory read does not result in a crash but can trigger a denial‑of‑service condition within the library or any application using libusb. The weakness is classified as CWE‑125 and has a CVSS score of 5.1, indicating moderate severity. Attackers can exploit the issue by providing crafted USB descriptors through libusb_get_active_interface_association_descriptors or libusb_get_interface_association_descriptors calls.

Affected Systems

The affected product is the libusb library, before release 1.0.30. Versions 1.0.30 and later contain the fix. No additional vendors or products are listed, so the scope is limited to systems that ship or use the vulnerable libusb library.

Risk and Exploitability

The CVSS score of 5.1 reflects a moderate risk of denial of service when a malicious USB descriptor is processed. EPSS data is not available, so the exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers must be able to supply or trick the system into processing a malformed USB descriptor, typically by having control over a USB device or by enabling USB passthrough in a virtualized environment. The likely attack vector is local or privileged access to devices that interact with libusb; remote exploitation would require remote USB passthrough capabilities.

Generated by OpenCVE AI on May 27, 2026 at 17:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libusb to version 1.0.30 or later, which contains the out‑of‑bounds read fix
  • If an immediate update is not viable, disable or restrict the use of libusb_get_active_interface_association_descriptors and libusb_get_interface_association_descriptors when USB passthrough is enabled, limiting access to trusted users only
  • Rebuild any custom applications that link against libusb with the latest source to ensure they incorporate the fix and do not reintroduce the vulnerability

Generated by OpenCVE AI on May 27, 2026 at 17:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:libusb:libusb:*:*:*:*:*:*:*:*

Thu, 28 May 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Libusb
Libusb libusb
Vendors & Products Libusb
Libusb libusb

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description libusb before version 1.0.30 contains a one-byte out-of-bounds read vulnerability in parse_iad_array() in descriptor.c that allows attackers to trigger a denial of service by supplying a malformed USB descriptor whose bLength equals size minus one, causing the bounds check to use the original buffer size instead of the remaining size. Attackers in virtualized environments with USB passthrough can supply crafted descriptors through libusb_get_active_interface_association_descriptors or libusb_get_interface_association_descriptors to read one byte past the end of the malloc allocation, resulting in a denial of service.
Title libusb < 1.0.30 Out-of-Bounds Read in parse_iad_array()
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Libusb Libusb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-27T15:32:24.112Z

Reserved: 2026-05-18T19:22:26.748Z

Link: CVE-2026-47104

cve-icon Vulnrichment

Updated: 2026-05-27T15:32:21.260Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:32.590

Modified: 2026-06-17T10:54:19.620

Link: CVE-2026-47104

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T01:00:02Z

Weaknesses