The vulnerability identified as CVE-2025-68622 affects the Espressif ESP-IDF USB Host UVC Class Driver used for video streaming from USB cameras. In versions prior to 2.4.0, the driver parses configuration descriptors from connected USB Video Class (UVC) devices to print detailed descriptor information. The vulnerability occurs because the length field in the UVC configuration descriptor is not validated before being copied into a fixed-size stack buffer. A malicious UVC device can advertise an excessively large length value, causing a stack-based buffer overflow during the descriptor parsing process. This overflow can overwrite adjacent memory on the stack, potentially leading to memory corruption, arbitrary code execution, or denial of service through system crashes. The vulnerability does not require any privileges or user interaction but does require physical access to connect a malicious USB device. The CVSS v3.1 score is 6.8, reflecting medium severity with high impact on confidentiality, integrity, and availability, but limited attack vector (physical). The issue is resolved in ESP-IDF version 2.4.0, where proper validation of descriptor length is implemented. No known exploits are currently reported in the wild. This vulnerability is categorized under CWE-121 (Stack-based Buffer Overflow), a common and dangerous class of memory corruption bugs. Espressif’s ESP-IDF is widely used in embedded IoT devices, which may be deployed in industrial, consumer, or commercial environments.

For European organizations, this vulnerability poses a risk primarily to embedded systems and IoT devices using Espressif ESP-IDF with USB host UVC functionality. Exploitation can lead to arbitrary code execution, allowing attackers to take control of affected devices, disrupt operations, or exfiltrate sensitive data. This is particularly concerning for critical infrastructure, industrial control systems, and smart devices prevalent in sectors such as manufacturing, healthcare, and transportation. The requirement for physical access limits remote exploitation but increases the threat from insider attacks or supply chain compromises. Memory corruption can also cause device instability or denial of service, impacting availability. Given the growing adoption of Espressif chips in European IoT deployments, the vulnerability could affect a broad range of devices, potentially cascading into larger operational disruptions if exploited at scale.

1. Upgrade all Espressif ESP-IDF USB Host UVC Class Driver implementations to version 2.4.0 or later, where the vulnerability is fixed. 2. If upgrading is not immediately feasible, disable UVC configuration-descriptor printing to prevent the vulnerable code path from executing. 3. Implement strict physical security controls to restrict USB port access to trusted personnel and devices, minimizing the risk of malicious USB device insertion. 4. Employ USB device whitelisting or port control solutions to allow only authorized USB devices to connect. 5. Conduct regular firmware audits and vulnerability scanning on embedded devices to detect outdated ESP-IDF versions. 6. Monitor device logs for unusual USB connection events or crashes that may indicate exploitation attempts. 7. For critical deployments, consider network segmentation and device isolation to limit the impact of compromised devices. 8. Engage with device manufacturers and suppliers to ensure timely patching and secure device lifecycle management.