CVE-2026-23679 libusb CVE debrief

Who should care

Organizations using libusb in security-sensitive applications, virtualization platforms with USB passthrough, embedded systems with USB device enumeration, and developers of USB management tools or security scanning software that processes untrusted USB descriptors.

Technical summary

The vulnerability exists in libusb's descriptor parsing logic where `parse_interface()` fails to allocate the `endpoint` array when encountering malformed class-specific descriptors that trigger early return. The function sets `interface->endpoint = NULL` but leaves `interface->bNumEndpoints > 0`, creating an inconsistency. Subsequent code paths that iterate from 0 to `bNumEndpoints-1` and access `interface->endpoint[i]` dereference NULL, causing a crash. The fix ensures proper allocation or error handling before returning. The CVSS 4.0 vector indicates local attack vector with high availability impact (AV:L/VA:H).

Defensive priority

medium

Recommended defensive actions

• Upgrade libusb to version 1.0.30 or later to obtain the fix for the NULL pointer dereference in parse_interface()
• Validate USB configuration descriptors from untrusted sources (virtualized passthrough, network, or file-based inputs) before processing with libusb functions
• Monitor application logs for crashes in libusb_get_active_config_descriptor or libusb_get_config_descriptor calls that may indicate exploitation attempts
• Review applications that iterate over USB endpoints to ensure graceful handling of NULL endpoint arrays as a defense-in-depth measure
• Apply principle of least privilege to USB device access, restricting untrusted or virtualized USB passthrough where possible

Evidence notes

Vulnerability disclosed via Vulncheck advisory with GitHub commit, issue, and pull request references. Fix committed in libusb/libusb@578ab76b4c434f8b204137ab6d7310689c7a9704 and released in v1.0.30.

Official resources