Skip to main content

libusb EUVDEUVD-2026-32500

| CVE-2026-47104 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-27 disclosure@vulncheck.com GHSA-fh6g-r8pf-wqgw
5.1
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 27, 2026 - 21:23 vuln.today
Analysis Generated
May 27, 2026 - 21:23 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionCVE.org

libusb before version 1.0.30 contains a one-byte out-of-bounds read vulnerability in parse_iad_array() in descriptor.c that allows attackers to trigger a denial of service by supplying a malformed USB descriptor whose bLength equals size minus one, causing the bounds check to use the original buffer size instead of the remaining size. Attackers in virtualized environments with USB passthrough can supply crafted descriptors through libusb_get_active_interface_association_descriptors or libusb_get_interface_association_descriptors to read one byte past the end of the malloc allocation, resulting in a denial of service.

AnalysisAI

Out-of-bounds read in libusb's parse_iad_array() function (descriptor.c) affects all releases before 1.0.30, enabling local attackers in virtualized environments with USB passthrough to crash libusb-dependent processes via a crafted USB descriptor. The off-by-one error causes the bounds check to evaluate against the original total buffer size rather than the remaining unparsed size, allowing a one-byte read past the end of the malloc allocation when a descriptor's bLength is set to exactly (total_size - 1). No public exploit code exists and the vulnerability is absent from CISA KEV; a vendor-released patch is confirmed in v1.0.30.

Technical ContextAI

libusb is a widely used portable C library providing generic, cross-platform access to USB devices. The vulnerable function parse_iad_array() in libusb/descriptor.c parses Interface Association Descriptors (IADs), which group related USB interfaces into composite device functions. The CWE-125 (Out-of-bounds Read) root cause is a classic off-by-one in the loop's remaining-bytes tracking: when iterating through a raw USB configuration descriptor buffer, the check uses the original total buffer length rather than the progressively decremented remaining length, so a descriptor whose bLength equals (total_size - 1) passes the check but positions the read pointer one byte beyond the allocation boundary on the next access. The two public API entry points that invoke this parser - libusb_get_active_interface_association_descriptors() and libusb_get_interface_association_descriptors() - are the externally-reachable surfaces. Fix commit 578ab76b4c434f8b204137ab6d7310689c7a9704 (v1.0.30) also introduces a dedicated OSS-Fuzz harness (fuzz_descriptor_parsers.c) using exact-size malloc copies with AddressSanitizer, and adds regression corpus file regression_bug_b_iad_oob.bin specifically for this bug class, confirming the issue was discovered or validated through fuzz testing.

RemediationAI

Upgrade to libusb v1.0.30 or later, which resolves the bounds-check error in parse_iad_array() as confirmed in commit 578ab76b4c434f8b204137ab6d7310689c7a9704 and the tagged release at https://github.com/libusb/libusb/releases/tag/v1.0.30. The upstream tracking issue is https://github.com/libusb/libusb/issues/1813 and the fix PR is https://github.com/libusb/libusb/pull/1814. For environments where an immediate upgrade is not feasible, the primary compensating control is to disable USB passthrough in the hypervisor configuration, which eliminates the attacker-controlled descriptor supply path entirely - note this will prevent guest VMs from using USB devices. If USB passthrough is operationally required, restrict it to trusted guest VMs and audit which processes invoke the affected libusb IAD APIs. Be aware that applications statically linking libusb must be recompiled and redeployed against v1.0.30 sources; a shared library upgrade alone will not remediate those consumers.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

EUVD-2026-32500 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy