CVE-2026-47104

NameCVE-2026-47104
Descriptionlibusb before version 1.0.30 contains a one-byte out-of-bounds read vulnerability in parse_iad_array() in descriptor.c that allows attackers to trigger a denial of service by supplying a malformed USB descriptor whose bLength equals size minus one, causing the bounds check to use the original buffer size instead of the remaining size. Attackers in virtualized environments with USB passthrough can supply crafted descriptors through libusb_get_active_interface_association_descriptors or libusb_get_interface_association_descriptors to read one byte past the end of the malloc allocation, resulting in a denial of service.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libusb-1.0 (PTS)bullseye2:1.0.24-3vulnerable
bookworm2:1.0.26-1vulnerable
trixie2:1.0.28-1vulnerable
forky, sid2:1.0.30-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libusb-1.0source(unstable)2:1.0.30-1

Notes

[trixie] - libusb-1.0 <no-dsa> (Minor issue)
[bookworm] - libusb-1.0 <no-dsa> (Minor issue)
https://github.com/libusb/libusb/issues/1813
https://github.com/libusb/libusb/pull/1814
https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231 (v1.0.30-rc2)
Search for package or bug name: Reporting problems