libusb before version 1.0.30 contains a NULL pointer dereference vulnerability that allows attackers to crash applications by supplying a malformed USB configuration descriptor where an interface claims bNumEndpoints greater than zero but is followed by a class-specific descriptor whose bLength exceeds the remaining buffer size, causing parse_interface() to return early without allocating the endpoint array. Attackers can exploit this flaw through libusb_get_active_config_descriptor or libusb_get_config_descriptor by providing crafted descriptors via virtualized USB passthrough, file-based descriptor parsing, or network sources, causing any application iterating over endpoints to dereference a NULL endpoint pointer and crash.
2:0.1.12-23.2ubuntu12:0.1.12-23.32:0.1.12-23.3ubuntu12:0.1.12-272:0.1.12-282:0.1.12-312:0.1.12-322:0.1.12-32build22:0.1.12-32build32:0.1.12-32build32:0.1.12-332:0.1.12-352:0.1.12-35build12:0.1.12-35build12:0.1.12-35build12:0.1.12-35build2Exploitability
AV:LAC:LAT:NPR:NUI:NVulnerable System
VC:NVI:NVA:HSubsequent System
SC:NSI:NSA:NCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N