CVE-2026-23679
MEDIUMlibusb < 1.0.30 NULL Pointer Dereference in parse_interface()
Title source: cnaDescription
libusb before version 1.0.30 contains a NULL pointer dereference vulnerability that allows attackers to crash applications by supplying a malformed USB configuration descriptor where an interface claims bNumEndpoints greater than zero but is followed by a class-specific descriptor whose bLength exceeds the remaining buffer size, causing parse_interface() to return early without allocating the endpoint array. Attackers can exploit this flaw through libusb_get_active_config_descriptor or libusb_get_config_descriptor by providing crafted descriptors via virtualized USB passthrough, file-based descriptor parsing, or network sources, causing any application iterating over endpoints to dereference a NULL endpoint pointer and crash.
References (5)
Core 5
Core References
Release Notes release-notes
https://github.com/libusb/libusb/releases/tag/v1.0.30
Technical Description technical-description
https://github.com/libusb/libusb/issues/1813
Issue Tracking issue-tracking
https://github.com/libusb/libusb/pull/1814
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/libusb-null-pointer-dereference-in-parse-interface
Scores
CVSS v3
6.2
EPSS
0.0019
EPSS Percentile
8.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-125
Status
published
Products (1)
libusb/libusb
< 1.0.30 (2 CPE variants)
Published
May 27, 2026
Tracked Since
May 27, 2026