From: Julien Olivain via buildroot <buildroot@buildroot.org>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: buildroot@buildroot.org, Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com>
Subject: Re: [Buildroot] [PATCH] package/libusb: security bump to version 1.0.30
Date: Fri, 05 Jun 2026 23:00:04 +0200 [thread overview]
Message-ID: <a433bc2036e98d719277c87cafcc333a@free.fr> (raw)
In-Reply-To: <20260605070003.3911896-1-peter@korsgaard.com>
On 05/06/2026 09:00, Peter Korsgaard wrote:
> Fixes the following security issues:
>
> CVE-2026-23679: libusb before version 1.0.30 contains a NULL pointer
> dereference vulnerability that allows attackers to crash applications
> by
> supplying a malformed USB configuration descriptor where an interface
> claims
> bNumEndpoints greater than zero but is followed by a class-specific
> descriptor whose bLength exceeds the remaining buffer size, causing
> parse_interface() to return early without allocating the endpoint
> array.
> Attackers can exploit this flaw through
> libusb_get_active_config_descriptor
> or libusb_get_config_descriptor by providing crafted descriptors via
> virtualized USB passthrough, file-based descriptor parsing, or network
> sources, causing any application iterating over endpoints to
> dereference a
> NULL endpoint pointer and crash.
>
> https://nvd.nist.gov/vuln/detail/CVE-2026-23679
>
> CVE-2026-47104: libusb before version 1.0.30 contains a one-byte
> out-of-bounds read vulnerability in parse_iad_array() in descriptor.c
> that
> allows attackers to trigger a denial of service by supplying a
> malformed USB
> descriptor whose bLength equals size minus one, causing the bounds
> check to
> use the original buffer size instead of the remaining size. Attackers
> in
> virtualized environments with USB passthrough can supply crafted
> descriptors
> through libusb_get_active_interface_association_descriptors or
> libusb_get_interface_association_descriptors to read one byte past the
> end
> of the malloc allocation, resulting in a denial of service.
>
> https://nvd.nist.gov/vuln/detail/CVE-2026-47104
>
> For more details, see the announcement:
> https://sourceforge.net/p/libusb/mailman/message/59335553/
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2026-06-05 21:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 7:00 [Buildroot] [PATCH] package/libusb: security bump to version 1.0.30 Peter Korsgaard
2026-06-05 21:00 ` Julien Olivain via buildroot [this message]
2026-06-12 11:38 ` Thomas Perale via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a433bc2036e98d719277c87cafcc333a@free.fr \
--to=buildroot@buildroot.org \
--cc=ju.o@free.fr \
--cc=mr.zoltan.gyarmati@gmail.com \
--cc=peter@korsgaard.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox