CVE-2026-47104 libusb CVE debrief

Who should care

Organizations running virtualized infrastructure with USB passthrough capabilities, embedded systems using libusb for USB device management, and developers of applications processing untrusted USB descriptors through libusb's IAD retrieval functions.

Technical summary

The vulnerability exists in parse_iad_array() in descriptor.c where a malformed IAD with bLength = remaining_size - 1 causes the bounds check to incorrectly use the original buffer size. This permits reading one byte beyond the malloc allocation, leading to denial of service. The affected APIs are libusb_get_active_interface_association_descriptors() and libusb_get_interface_association_descriptors(). Attack surface is primarily virtualized environments with USB passthrough where attackers can control USB descriptor content.

Defensive priority

medium

Recommended defensive actions

• Upgrade libusb to version 1.0.30 or later to remediate the out-of-bounds read vulnerability
• Audit applications using libusb_get_active_interface_association_descriptors() or libusb_get_interface_association_descriptors() for exposure to untrusted USB descriptors
• In virtualized environments with USB passthrough, restrict access to untrusted USB devices until patching is complete
• Monitor for application crashes or abnormal termination in libusb-dependent services as potential indicators of exploitation attempts
• Review custom USB descriptor handling code for similar off-by-one bounds check errors

Evidence notes

Vulnerability description sourced from NVD record with CVE published date of 2026-05-27. Technical details confirmed through Vulncheck advisory and libusb GitHub commit 578ab76b4c434f8b204137ab6d7310689c7a9704. CVSS 4.0 vector: AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N. CWE-125 classification from source. Fix version 1.0.30 confirmed via GitHub release tag.

Official resources