Skip to main content

libusb CVE-2026-23679

| EUVDEUVD-2026-32502 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-27 disclosure@vulncheck.com GHSA-jp69-qvgm-mqwx
6.9
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.2 MEDIUM
qualitative

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 27, 2026 - 22:24 vuln.today
Analysis Generated
May 27, 2026 - 22:24 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionCVE.org

libusb before version 1.0.30 contains a NULL pointer dereference vulnerability that allows attackers to crash applications by supplying a malformed USB configuration descriptor where an interface claims bNumEndpoints greater than zero but is followed by a class-specific descriptor whose bLength exceeds the remaining buffer size, causing parse_interface() to return early without allocating the endpoint array. Attackers can exploit this flaw through libusb_get_active_config_descriptor or libusb_get_config_descriptor by providing crafted descriptors via virtualized USB passthrough, file-based descriptor parsing, or network sources, causing any application iterating over endpoints to dereference a NULL endpoint pointer and crash.

AnalysisAI

NULL pointer dereference in libusb's USB descriptor parser allows any attacker who can supply a crafted configuration descriptor to crash any application that uses libusb for USB device enumeration. Affected versions are all libusb releases before 1.0.30; the flaw resides in parse_interface() within descriptor.c and is reachable through the public APIs libusb_get_active_config_descriptor and libusb_get_config_descriptor. No public exploit code is identified at time of analysis and this CVE does not appear in the CISA KEV catalog, but the availability impact is confirmed high (CVSS 4.0 VA:H) and regression corpus files in the fix commit demonstrate reliable crash reproduction.

Technical ContextAI

libusb is a widely embedded C library that provides userspace applications with generic, OS-independent access to USB devices. Descriptor parsing occurs in descriptor.c; the entry point parse_configuration() calls parse_interface() for each interface claimed by a USB configuration. The bug manifests when an interface descriptor sets bNumEndpoints greater than zero but the immediately following descriptor is a class-specific descriptor whose bLength field exceeds the remaining buffer size. The bounds check causes parse_interface() to return early before it executes the malloc() that allocates the endpoint array, leaving the pointer NULL. CWE-125 (Out-of-bounds Read) is the root cause class: the oversized bLength triggers an early-exit guard that was intended to protect against a read overrun, but the guard was placed incorrectly relative to the endpoint array allocation, creating a second-order NULL dereference when callers later iterate over the (non-existent) endpoints. The fix at commit 578ab76b4c434f8b204137ab6d7310689c7a9704 also introduces an OSS-Fuzz integration target (fuzz_descriptor_parsers.c) and three regression corpus binaries, confirming the issue was verified through fuzz testing before release.

RemediationAI

The vendor-released patch is libusb version 1.0.30, available at https://github.com/libusb/libusb/releases/tag/v1.0.30. The fix is implemented in commit 578ab76b4c434f8b204137ab6d7310689c7a9704, which corrects the endpoint array allocation logic in parse_interface() and adds fuzz regression corpus coverage to prevent recurrence. Applications that statically link libusb must be recompiled against 1.0.30; dynamically linked applications benefit from upgrading the shared library. If an immediate upgrade is not feasible, restrict descriptor sources reachable by the vulnerable library: in hypervisor environments, limit USB passthrough to enumerated, trusted physical devices and audit which VMs have passthrough rights; in applications that parse descriptors from files or network streams, add input validation to reject descriptors whose interface-claimed bNumEndpoints is non-zero when the subsequent class-specific descriptor bLength would exceed the buffer - this trades completeness of USB device support for crash prevention. Note that descriptor-level filtering requires application-side changes and may break support for legitimate devices with unusual descriptor layouts.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

CVE-2026-23679 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy