Search criteria
71 vulnerabilities found for esp-idf by espressif
CVE-2025-68474 (GCVE-0-2025-68474)
Vulnerability from nvd – Published: 2025-12-26 23:57 – Updated: 2025-12-29 16:51
VLAI?
Title
ESF-IDF Has Out-of-Bounds Write in ESP32 Bluetooth AVRCP Vendor Command Handling
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the avrc_vendor_msg() function of the ESP-IDF BlueDroid AVRCP stack, the allocated buffer size was validated using AVRC_MIN_CMD_LEN (20 bytes). However, the actual fixed header data written before the vendor payload exceeds this value. This totals 29 bytes written before p_msg->p_vendor_data is copied. Using the old AVRC_MIN_CMD_LEN could allow an out-of-bounds write if vendor_len approaches the buffer limit. For commands where vendor_len is large, the original buffer allocation may be insufficient, causing writes beyond the allocated memory. This can lead to memory corruption, crashes, or other undefined behavior. The overflow could be larger when assertions are disabled.
Severity ?
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68474",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T16:43:54.191900Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T16:51:36.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.5-beta1, \u003c= 5.5.1"
},
{
"status": "affected",
"version": "\u003e= 5.4-beta1, \u003c= 5.4.3"
},
{
"status": "affected",
"version": "\u003e= 5.3-beta1, \u003c= 5.3.4"
},
{
"status": "affected",
"version": "\u003e= 5.2-beta1, \u003c= 5.2.6"
},
{
"status": "affected",
"version": "\u003c= 5.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the avrc_vendor_msg() function of the ESP-IDF BlueDroid AVRCP stack, the allocated buffer size was validated using AVRC_MIN_CMD_LEN (20 bytes). However, the actual fixed header data written before the vendor payload exceeds this value. This totals 29 bytes written before p_msg-\u003ep_vendor_data is copied. Using the old AVRC_MIN_CMD_LEN could allow an out-of-bounds write if vendor_len approaches the buffer limit. For commands where vendor_len is large, the original buffer allocation may be insufficient, causing writes beyond the allocated memory. This can lead to memory corruption, crashes, or other undefined behavior. The overflow could be larger when assertions are disabled."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T23:57:54.853Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-43gh-7r4f-qp57",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-43gh-7r4f-qp57"
},
{
"name": "https://github.com/espressif/esp-idf/commit/0b0b59f2e19cb99dfa1b28c284d1c5c1d276a132",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/0b0b59f2e19cb99dfa1b28c284d1c5c1d276a132"
},
{
"name": "https://github.com/espressif/esp-idf/commit/565fa98d0cfd58102204c1cb636747e17ee59845",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/565fa98d0cfd58102204c1cb636747e17ee59845"
},
{
"name": "https://github.com/espressif/esp-idf/commit/8262ee807d5cd425f66304f703eeb3382fb888c0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/8262ee807d5cd425f66304f703eeb3382fb888c0"
},
{
"name": "https://github.com/espressif/esp-idf/commit/a6c1bc5e3e91ad1cb964ce2c178ee40a5d10a4a0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/a6c1bc5e3e91ad1cb964ce2c178ee40a5d10a4a0"
},
{
"name": "https://github.com/espressif/esp-idf/commit/aa0e3d75db995b7137b55349fc92ee684b47092d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/aa0e3d75db995b7137b55349fc92ee684b47092d"
},
{
"name": "https://github.com/espressif/esp-idf/commit/b9ba1e29b65536ab4b670ac099585d09adce0376",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/b9ba1e29b65536ab4b670ac099585d09adce0376"
}
],
"source": {
"advisory": "GHSA-43gh-7r4f-qp57",
"discovery": "UNKNOWN"
},
"title": "ESF-IDF Has Out-of-Bounds Write in ESP32 Bluetooth AVRCP Vendor Command Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68474",
"datePublished": "2025-12-26T23:57:54.853Z",
"dateReserved": "2025-12-18T13:52:15.491Z",
"dateUpdated": "2025-12-29T16:51:36.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68473 (GCVE-0-2025-68473)
Vulnerability from nvd – Published: 2025-12-26 23:54 – Updated: 2025-12-29 16:51
VLAI?
Title
ESF-IDF Has Out-of-Bounds Read in ESP32 Bluetooth SDP Result Handling
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the ESP-IDF Bluetooth host stack (BlueDroid), the function bta_dm_sdp_result() used a fixed-size array uuid_list[32][MAX_UUID_SIZE] to store discovered service UUIDs during the SDP (Service Discovery Protocol) process. On modern Bluetooth devices, it is possible for the number of available services to exceed this fixed limit (32). In such cases, if more than 32 services are discovered, subsequent writes to uuid_list could exceed the bounds of the array, resulting in a potential out-of-bounds write condition.
Severity ?
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68473",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T16:44:09.956137Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T16:51:42.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.5-beta1, \u003c= 5.5.1"
},
{
"status": "affected",
"version": "\u003e= 5.4-beta1, \u003c= 5.4.3"
},
{
"status": "affected",
"version": "\u003e= 5.3-beta1, \u003c= 5.3.4"
},
{
"status": "affected",
"version": "\u003e= 5.2-beta1, \u003c= 5.2.6"
},
{
"status": "affected",
"version": "\u003c= 5.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the ESP-IDF Bluetooth host stack (BlueDroid), the function bta_dm_sdp_result() used a fixed-size array uuid_list[32][MAX_UUID_SIZE] to store discovered service UUIDs during the SDP (Service Discovery Protocol) process. On modern Bluetooth devices, it is possible for the number of available services to exceed this fixed limit (32). In such cases, if more than 32 services are discovered, subsequent writes to uuid_list could exceed the bounds of the array, resulting in a potential out-of-bounds write condition."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T23:54:47.709Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hmjj-rjvv-w8pq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hmjj-rjvv-w8pq"
},
{
"name": "https://github.com/espressif/esp-idf/commit/3286e45349b0b5c2b1422ef7e8d088b95eef895d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/3286e45349b0b5c2b1422ef7e8d088b95eef895d"
},
{
"name": "https://github.com/espressif/esp-idf/commit/4d928f2265c394d2abc85024228e920a5b26bcab",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/4d928f2265c394d2abc85024228e920a5b26bcab"
},
{
"name": "https://github.com/espressif/esp-idf/commit/5b3185168dae83d42aa0852689422fffd931f16c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/5b3185168dae83d42aa0852689422fffd931f16c"
},
{
"name": "https://github.com/espressif/esp-idf/commit/6453f57a954458ad8ffd6e4bf2d9e76b73fac0f1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/6453f57a954458ad8ffd6e4bf2d9e76b73fac0f1"
},
{
"name": "https://github.com/espressif/esp-idf/commit/6ca6f422dafaffcb88fa56cc458ce92d96be3b2e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/6ca6f422dafaffcb88fa56cc458ce92d96be3b2e"
},
{
"name": "https://github.com/espressif/esp-idf/commit/9889edd799cf369e082df9d01adba961d64693ed",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/9889edd799cf369e082df9d01adba961d64693ed"
},
{
"name": "https://github.com/espressif/esp-idf/commit/ecb86d353640cf1375bf97db32e702ba59c551b6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/ecb86d353640cf1375bf97db32e702ba59c551b6"
}
],
"source": {
"advisory": "GHSA-hmjj-rjvv-w8pq",
"discovery": "UNKNOWN"
},
"title": "ESF-IDF Has Out-of-Bounds Read in ESP32 Bluetooth SDP Result Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68473",
"datePublished": "2025-12-26T23:54:47.709Z",
"dateReserved": "2025-12-18T13:52:15.491Z",
"dateUpdated": "2025-12-29T16:51:42.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66409 (GCVE-0-2025-66409)
Vulnerability from nvd – Published: 2025-12-02 18:09 – Updated: 2025-12-02 18:46
VLAI?
Title
ESF-IDF has an Out-of-Bounds Read in ESP32 Bluetooth AVRCP Command Handling
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, when AVRCP is enabled on ESP32, receiving a malformed VENDOR DEPENDENT command from a peer device can cause the Bluetooth stack to access memory before validating the command buffer length. This may lead to an out-of-bounds read, potentially exposing unintended memory content or causing unexpected behavior.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T18:43:14.641038Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T18:46:18.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.5-beta1, \u003c= 5.5.1"
},
{
"status": "affected",
"version": "\u003e= 5.4-beta1, \u003c= 5.4.3"
},
{
"status": "affected",
"version": "\u003e= 5.3-beta1, \u003c= 5.3.4"
},
{
"status": "affected",
"version": "\u003e= 5.2-beta1, \u003c= 5.2.6"
},
{
"status": "affected",
"version": "\u003c= 5.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, when AVRCP is enabled on ESP32, receiving a malformed VENDOR DEPENDENT command from a peer device can cause the Bluetooth stack to access memory before validating the command buffer length. This may lead to an out-of-bounds read, potentially exposing unintended memory content or causing unexpected behavior."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T18:09:03.069Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-qhf9-vr2h-jh96",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-qhf9-vr2h-jh96"
},
{
"name": "https://github.com/espressif/esp-idf/commit/075ed218cadb8088155521cd8a795d8a626519fb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/075ed218cadb8088155521cd8a795d8a626519fb"
},
{
"name": "https://github.com/espressif/esp-idf/commit/2f788e59ee361eee230879ae2ec9cf5c893fe372",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/2f788e59ee361eee230879ae2ec9cf5c893fe372"
},
{
"name": "https://github.com/espressif/esp-idf/commit/798029129a71c802cff0e75eb59f902bca8f1946",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/798029129a71c802cff0e75eb59f902bca8f1946"
},
{
"name": "https://github.com/espressif/esp-idf/commit/999710fccf95ae128fe51b5679d6b7c75c50d902",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/999710fccf95ae128fe51b5679d6b7c75c50d902"
},
{
"name": "https://github.com/espressif/esp-idf/commit/d5db5f60fc1dcfdd8cd3ee898fdefaa272988ace",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/d5db5f60fc1dcfdd8cd3ee898fdefaa272988ace"
},
{
"name": "https://github.com/espressif/esp-idf/commit/daeeba230327176b9627b1caa94acdc54065c4b7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/daeeba230327176b9627b1caa94acdc54065c4b7"
}
],
"source": {
"advisory": "GHSA-qhf9-vr2h-jh96",
"discovery": "UNKNOWN"
},
"title": "ESF-IDF has an Out-of-Bounds Read in ESP32 Bluetooth AVRCP Command Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66409",
"datePublished": "2025-12-02T18:09:03.069Z",
"dateReserved": "2025-11-28T23:33:56.365Z",
"dateUpdated": "2025-12-02T18:46:18.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65092 (GCVE-0-2025-65092)
Vulnerability from nvd – Published: 2025-11-21 21:33 – Updated: 2025-11-21 21:56
VLAI?
Title
ESP32-P4 JPEG Decoder Header Parsing Vulnerability
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, and 5.3.4, when the ESP32-P4 uses its hardware JPEG decoder, the software parser lacks necessary validation checks. A specially crafted (malicious) JPEG image could exploit the parsing routine and trigger an out-of-bounds array access. This issue has been fixed in versions 5.5.2, 5.4.4, and 5.3.5. At time of publication versions 5.5.2, 5.4.4, and 5.3.5 have not been released but are fixed respectively in commits 4b8f585, c79cb4d, and 34e2726.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-21T21:56:06.906288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T21:56:26.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "= 5.5.1"
},
{
"status": "affected",
"version": "= 5.4.3"
},
{
"status": "affected",
"version": "= 5.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, and 5.3.4, when the ESP32-P4 uses its hardware JPEG decoder, the software parser lacks necessary validation checks. A specially crafted (malicious) JPEG image could exploit the parsing routine and trigger an out-of-bounds array access. This issue has been fixed in versions 5.5.2, 5.4.4, and 5.3.5. At time of publication versions 5.5.2, 5.4.4, and 5.3.5 have not been released but are fixed respectively in commits 4b8f585, c79cb4d, and 34e2726."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T21:33:03.656Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-vcw6-jc3p-4gj8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-vcw6-jc3p-4gj8"
},
{
"name": "https://github.com/espressif/esp-idf/commit/34e2726254201988e6e2752b2db4b70d73964d4c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/34e2726254201988e6e2752b2db4b70d73964d4c"
},
{
"name": "https://github.com/espressif/esp-idf/commit/4b8f5859dbe05d15372558f8a950b49f6ee44e42",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/4b8f5859dbe05d15372558f8a950b49f6ee44e42"
},
{
"name": "https://github.com/espressif/esp-idf/commit/c38a6691b9845ac6ee0d0f6713783114770cdc17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/c38a6691b9845ac6ee0d0f6713783114770cdc17"
},
{
"name": "https://github.com/espressif/esp-idf/commit/c79cb4de468854937a0cbf82629fd65d04bffb27",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/c79cb4de468854937a0cbf82629fd65d04bffb27"
}
],
"source": {
"advisory": "GHSA-vcw6-jc3p-4gj8",
"discovery": "UNKNOWN"
},
"title": "ESP32-P4 JPEG Decoder Header Parsing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65092",
"datePublished": "2025-11-21T21:33:03.656Z",
"dateReserved": "2025-11-17T20:55:34.691Z",
"dateUpdated": "2025-11-21T21:56:26.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64342 (GCVE-0-2025-64342)
Vulnerability from nvd – Published: 2025-11-17 17:21 – Updated: 2025-11-17 21:04
VLAI?
Title
ESF-IDF's ESP32 Bluetooth Controller Has an Invalid Access Address Vulnerability
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. When the ESP32 is in advertising mode, if it receives a connection request containing an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, advertising may stop unexpectedly. In this case, the controller may incorrectly report a connection event to the host, which can cause the application layer to assume that the device has successfully established a connection. This issue has been fixed in versions 5.5.2, 5.4.3, 5.3.5, 5.2.6, and 5.1.7. At time of publication versions 5.5.2, 5.3.5, and 5.1.7 have not been released but are fixed respectively in commits 3b95b50, e3d7042, and 75967b5.
Severity ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64342",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-17T21:03:18.603291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T21:04:07.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.5-beta1, \u003c 5.5.2"
},
{
"status": "affected",
"version": "\u003e= 5.4-beta1, \u003c 5.4.3"
},
{
"status": "affected",
"version": "\u003e= 5.3-beta1, \u003c 5.3.5"
},
{
"status": "affected",
"version": "\u003e= 5.2-beta1, \u003c 5.2.6"
},
{
"status": "affected",
"version": "\u003c 5.1.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. When the ESP32 is in advertising mode, if it receives a connection request containing an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, advertising may stop unexpectedly. In this case, the controller may incorrectly report a connection event to the host, which can cause the application layer to assume that the device has successfully established a connection. This issue has been fixed in versions 5.5.2, 5.4.3, 5.3.5, 5.2.6, and 5.1.7. At time of publication versions 5.5.2, 5.3.5, and 5.1.7 have not been released but are fixed respectively in commits 3b95b50, e3d7042, and 75967b5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T17:21:01.773Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-8mg7-9qpg-p92v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-8mg7-9qpg-p92v"
},
{
"name": "https://github.com/espressif/esp-idf/commit/309f031dd6b04de30c926a256508c65b0df95dfa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/309f031dd6b04de30c926a256508c65b0df95dfa"
},
{
"name": "https://github.com/espressif/esp-idf/commit/3b95b50703cd3301a370cffaa1cc299b1941fe2a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/3b95b50703cd3301a370cffaa1cc299b1941fe2a"
},
{
"name": "https://github.com/espressif/esp-idf/commit/75967b578563ea7876dc215251cbb6d64bc9d768",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/75967b578563ea7876dc215251cbb6d64bc9d768"
},
{
"name": "https://github.com/espressif/esp-idf/commit/8ec541023684d33b498fa21c5b4724bce748aa7b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/8ec541023684d33b498fa21c5b4724bce748aa7b"
},
{
"name": "https://github.com/espressif/esp-idf/commit/bf66761962579f73aea682d1154b9c99b9d3d7dc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/bf66761962579f73aea682d1154b9c99b9d3d7dc"
},
{
"name": "https://github.com/espressif/esp-idf/commit/e3d70429566ece1ef593d36aa4ebd320e0c95925",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/e3d70429566ece1ef593d36aa4ebd320e0c95925"
}
],
"source": {
"advisory": "GHSA-8mg7-9qpg-p92v",
"discovery": "UNKNOWN"
},
"title": "ESF-IDF\u0027s ESP32 Bluetooth Controller Has an Invalid Access Address Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64342",
"datePublished": "2025-11-17T17:21:01.773Z",
"dateReserved": "2025-10-30T17:40:52.031Z",
"dateUpdated": "2025-11-17T21:04:07.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55297 (GCVE-0-2025-55297)
Vulnerability from nvd – Published: 2025-08-21 15:05 – Updated: 2025-08-22 11:32
VLAI?
Title
ESF-IDF BluFi Example Memory Overflow Vulnerability
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. The BluFi example bundled in ESP-IDF was vulnerable to memory overflows in two areas: Wi-Fi credential handling and Diffie–Hellman key exchange. This vulnerability is fixed in 5.4.1, 5.3.3, 5.1.6, and 5.0.9.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55297",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-22T11:32:27.655323Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T11:32:48.470Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.9"
},
{
"status": "affected",
"version": "\u003e= 5.1-beta1, \u003c 5.1.6"
},
{
"status": "affected",
"version": "\u003e= 5.2-beta1, \u003c 5.3.3"
},
{
"status": "affected",
"version": "\u003e= 5.4-beta1, \u003c 5.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. The BluFi example bundled in ESP-IDF was vulnerable to memory overflows in two areas: Wi-Fi credential handling and Diffie\u2013Hellman key exchange. This vulnerability is fixed in 5.4.1, 5.3.3, 5.1.6, and 5.0.9."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "CWE-131: Incorrect Calculation of Buffer Size",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T15:05:06.805Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9w88-r2vm-qfc4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9w88-r2vm-qfc4"
},
{
"name": "https://github.com/espressif/esp-idf/commit/12b7a9e6d78012ab9184b7ccdb5524364bf7e345",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/12b7a9e6d78012ab9184b7ccdb5524364bf7e345"
},
{
"name": "https://github.com/espressif/esp-idf/commit/3fc6c93936077cb1659e1f0e0268e62cf6423e9d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/3fc6c93936077cb1659e1f0e0268e62cf6423e9d"
},
{
"name": "https://github.com/espressif/esp-idf/commit/5f93ec3b11b6115475c34de57093b3672d594e8f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/5f93ec3b11b6115475c34de57093b3672d594e8f"
},
{
"name": "https://github.com/espressif/esp-idf/commit/9cb7206d4ae8fd8f4296cd57d6c78a1656f42efa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/9cb7206d4ae8fd8f4296cd57d6c78a1656f42efa"
},
{
"name": "https://github.com/espressif/esp-idf/commit/abc18e93eb3500dbec74c3e589671ef82c8b3919",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/abc18e93eb3500dbec74c3e589671ef82c8b3919"
},
{
"name": "https://github.com/espressif/esp-idf/commit/b1657d9dd4d0e48ed25e02cb8fe8413f479a2a84",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/b1657d9dd4d0e48ed25e02cb8fe8413f479a2a84"
},
{
"name": "https://github.com/espressif/esp-idf/commit/bf50c0c197af30990026c8f8286298d2aa5a3c99",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/bf50c0c197af30990026c8f8286298d2aa5a3c99"
},
{
"name": "https://github.com/espressif/esp-idf/commit/cb6929a2e6f2ff130b742332dc15eb23006c7cc9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/cb6929a2e6f2ff130b742332dc15eb23006c7cc9"
},
{
"name": "https://github.com/espressif/esp-idf/commit/cc00e9f2fc4f7e8fbaff27851b4a8b45fa483501",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/cc00e9f2fc4f7e8fbaff27851b4a8b45fa483501"
},
{
"name": "https://github.com/espressif/esp-idf/commit/e65cf7ea2a2be52219ec9d4efc44aed5e490e91c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/e65cf7ea2a2be52219ec9d4efc44aed5e490e91c"
},
{
"name": "https://github.com/espressif/esp-idf/commit/f40aa9c587a8e570dfde2e6330382dcd170d5a5d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/f40aa9c587a8e570dfde2e6330382dcd170d5a5d"
},
{
"name": "https://github.com/espressif/esp-idf/commit/f77da0d5b5382635c99e6708551b73802ad1213d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/f77da0d5b5382635c99e6708551b73802ad1213d"
}
],
"source": {
"advisory": "GHSA-9w88-r2vm-qfc4",
"discovery": "UNKNOWN"
},
"title": "ESF-IDF BluFi Example Memory Overflow Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55297",
"datePublished": "2025-08-21T15:05:06.805Z",
"dateReserved": "2025-08-12T16:15:30.238Z",
"dateUpdated": "2025-08-22T11:32:48.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52471 (GCVE-0-2025-52471)
Vulnerability from nvd – Published: 2025-06-24 19:53 – Updated: 2025-06-24 20:02
VLAI?
Title
ESP-NOW Integer Underflow Vulnerability Advisory
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation.
Severity ?
CWE
- CWE-191 - Integer Underflow (Wrap or Wraparound)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52471",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-24T20:02:03.737707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T20:02:18.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "= 5.4.1"
},
{
"status": "affected",
"version": "= 5.3.3"
},
{
"status": "affected",
"version": "= 5.2.5"
},
{
"status": "affected",
"version": "= 5.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T19:53:06.066Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hqhh-cp47-fv5g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hqhh-cp47-fv5g"
},
{
"name": "https://github.com/espressif/esp-idf/commit/b1a379d57430d265a53aca13d59ddfbf2e7ac409",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/b1a379d57430d265a53aca13d59ddfbf2e7ac409"
},
{
"name": "https://github.com/espressif/esp-idf/commit/c5fc81917805f99e687c81cc56b68dc5df7ef8b5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/c5fc81917805f99e687c81cc56b68dc5df7ef8b5"
},
{
"name": "https://github.com/espressif/esp-idf/commit/d4dafbdc3572387cd4f9a62b776580bc4ac3bde7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/d4dafbdc3572387cd4f9a62b776580bc4ac3bde7"
},
{
"name": "https://github.com/espressif/esp-idf/commit/d6ec5a52255b17c1d6ef379e89f9de2c379042f8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/d6ec5a52255b17c1d6ef379e89f9de2c379042f8"
},
{
"name": "https://github.com/espressif/esp-idf/commit/df7757d8279871fa7a2f42ef3962c6c1ec88b8a2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/df7757d8279871fa7a2f42ef3962c6c1ec88b8a2"
},
{
"name": "https://github.com/espressif/esp-idf/commit/edc227c5eaeced999b5212943a9434379f8aad80",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/edc227c5eaeced999b5212943a9434379f8aad80"
}
],
"source": {
"advisory": "GHSA-hqhh-cp47-fv5g",
"discovery": "UNKNOWN"
},
"title": "ESP-NOW Integer Underflow Vulnerability Advisory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52471",
"datePublished": "2025-06-24T19:53:06.066Z",
"dateReserved": "2025-06-17T02:28:39.716Z",
"dateUpdated": "2025-06-24T20:02:18.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53406 (GCVE-0-2024-53406)
Vulnerability from nvd – Published: 2025-03-13 00:00 – Updated: 2025-03-19 18:42
VLAI?
Summary
Espressif Esp idf v5.3.0 is vulnerable to Insecure Permissions resulting in Authentication bypass. In the reconnection phase, the device reuses the session key from a previous connection session, creating an opportunity for attackers to execute security bypass attacks.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T17:08:50.323042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T18:42:46.005Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Espressif Esp idf v5.3.0 is vulnerable to Insecure Permissions resulting in Authentication bypass. In the reconnection phase, the device reuses the session key from a previous connection session, creating an opportunity for attackers to execute security bypass attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T17:08:04.530Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/espressif/esp-idf"
},
{
"url": "https://github.com/yangting111/BLE_TEST/blob/main/result/PoC/Esp/sk_reuse.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-53406",
"datePublished": "2025-03-13T00:00:00.000Z",
"dateReserved": "2024-11-20T00:00:00.000Z",
"dateUpdated": "2025-03-19T18:42:46.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53845 (GCVE-0-2024-53845)
Vulnerability from nvd – Published: 2024-12-11 22:35 – Updated: 2024-12-12 16:35
VLAI?
Title
AES/CBC Constant IV Vulnerability in ESPTouch v2
Summary
ESPTouch is a connection protocol for internet of things devices. In the ESPTouchV2 protocol, while there is an option to use a custom AES key, there is no option to set the IV (Initialization Vector) prior to versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. The IV is set to zero and remains constant throughout the product's lifetime. In AES/CBC mode, if the IV is not properly initialized, the encrypted output becomes deterministic, leading to potential data leakage. To address the aforementioned issues, the application generates a random IV when activating the AES key starting in versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. This IV is then transmitted along with the provision data to the provision device. The provision device has also been equipped with a parser for the AES IV. The upgrade is applicable for all applications and users of ESPTouch v2 component from ESP-IDF. As it is implemented in the ESP Wi-Fi stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T16:34:50.853994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T16:35:00.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.3.0, \u003c 5.3.2"
},
{
"status": "affected",
"version": "\u003e= 5.2.0, \u003c 5.2.4"
},
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c 5.1.6"
},
{
"status": "affected",
"version": "\u003c 5.0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESPTouch is a connection protocol for internet of things devices. In the ESPTouchV2 protocol, while there is an option to use a custom AES key, there is no option to set the IV (Initialization Vector) prior to versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. The IV is set to zero and remains constant throughout the product\u0027s lifetime. In AES/CBC mode, if the IV is not properly initialized, the encrypted output becomes deterministic, leading to potential data leakage. To address the aforementioned issues, the application generates a random IV when activating the AES key starting in versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. This IV is then transmitted along with the provision data to the provision device. The provision device has also been equipped with a parser for the AES IV. The upgrade is applicable for all applications and users of ESPTouch v2 component from ESP-IDF. As it is implemented in the ESP Wi-Fi stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-909",
"description": "CWE-909: Missing Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T22:35:48.528Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-wm57-466g-mhrr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-wm57-466g-mhrr"
},
{
"name": "https://github.com/espressif/esp-idf/commit/4f85a2726e04b737c8646d865b44ddd837b703db",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/4f85a2726e04b737c8646d865b44ddd837b703db"
},
{
"name": "https://github.com/espressif/esp-idf/commit/8fb28dcedcc49916a5206456a3a61022d4302cd8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/8fb28dcedcc49916a5206456a3a61022d4302cd8"
},
{
"name": "https://github.com/espressif/esp-idf/commit/d47ed7d6f814e21c5bc8997ab0bc68e2360e5cb2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/d47ed7d6f814e21c5bc8997ab0bc68e2360e5cb2"
},
{
"name": "https://github.com/espressif/esp-idf/commit/de69895f38d563e22228f5ba23fffa02feabc3a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/de69895f38d563e22228f5ba23fffa02feabc3a9"
},
{
"name": "https://github.com/espressif/esp-idf/commit/fd224e83bbf133833638b277c767be7f7cdd97c7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/fd224e83bbf133833638b277c767be7f7cdd97c7"
},
{
"name": "https://github.com/EspressifApp/EsptouchForAndroid/tree/master/esptouch-v2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/EspressifApp/EsptouchForAndroid/tree/master/esptouch-v2"
},
{
"name": "https://github.com/EspressifApp/EsptouchForIOS/tree/master/EspTouchDemo/ESPTouchV2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/EspressifApp/EsptouchForIOS/tree/master/EspTouchDemo/ESPTouchV2"
},
{
"name": "https://github.com/espressif/esp-idf/tree/master/components/esp_wifi",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/tree/master/components/esp_wifi"
}
],
"source": {
"advisory": "GHSA-wm57-466g-mhrr",
"discovery": "UNKNOWN"
},
"title": "AES/CBC Constant IV Vulnerability in ESPTouch v2"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53845",
"datePublished": "2024-12-11T22:35:48.528Z",
"dateReserved": "2024-11-22T17:30:02.139Z",
"dateUpdated": "2024-12-12T16:35:00.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51428 (GCVE-0-2024-51428)
Vulnerability from nvd – Published: 2024-11-07 00:00 – Updated: 2024-11-08 16:57
VLAI?
Summary
An issue in Espressif Esp idf v5.3.0 allows attackers to cause a Denial of Service (DoS) via a crafted data channel packet.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:expressif:esp_idf:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "esp_idf",
"vendor": "expressif",
"versions": [
{
"status": "affected",
"version": "5.3.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-08T16:55:00.750179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T16:57:54.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in Espressif Esp idf v5.3.0 allows attackers to cause a Denial of Service (DoS) via a crafted data channel packet."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T17:22:00.764120",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/espressif/esp-idf"
},
{
"url": "https://gitee.com/guozhi123456/vulnerability-Report/blob/master/Esp/Accept_Invaild_Address.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-51428",
"datePublished": "2024-11-07T00:00:00",
"dateReserved": "2024-10-28T00:00:00",
"dateUpdated": "2024-11-08T16:57:54.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-33453 (GCVE-0-2024-33453)
Vulnerability from nvd – Published: 2024-10-17 00:00 – Updated: 2024-10-18 19:10
VLAI?
Summary
Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to obtain sensitive information via the externalId component.
Severity ?
8.1 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:espressif:esp-idf:5.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "5.1"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-33453",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-18T19:09:02.781606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T19:10:25.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to obtain sensitive information via the externalId component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T21:25:08.352533",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Ant1sec-ops/CVE-2024-33453"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-33453",
"datePublished": "2024-10-17T00:00:00",
"dateReserved": "2024-04-23T00:00:00",
"dateUpdated": "2024-10-18T19:10:25.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2025-68474
Vulnerability from fkie_nvd - Published: 2025-12-27 00:15 - Updated: 2026-01-22 16:00
Severity ?
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the avrc_vendor_msg() function of the ESP-IDF BlueDroid AVRCP stack, the allocated buffer size was validated using AVRC_MIN_CMD_LEN (20 bytes). However, the actual fixed header data written before the vendor payload exceeds this value. This totals 29 bytes written before p_msg->p_vendor_data is copied. Using the old AVRC_MIN_CMD_LEN could allow an out-of-bounds write if vendor_len approaches the buffer limit. For commands where vendor_len is large, the original buffer allocation may be insufficient, causing writes beyond the allocated memory. This can lead to memory corruption, crashes, or other undefined behavior. The overflow could be larger when assertions are disabled.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "90D991F0-A03E-44CF-9187-75897399797A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "37A040C2-E9D4-4678-9A10-74B5AEE4901D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AA4D9168-C8C1-4B1A-81C3-D4888DB36CAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7CA4F443-03D3-4B10-909E-A813F72BC08C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C84481DF-BAFA-4644-B5B1-1F9BB5F535E4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the avrc_vendor_msg() function of the ESP-IDF BlueDroid AVRCP stack, the allocated buffer size was validated using AVRC_MIN_CMD_LEN (20 bytes). However, the actual fixed header data written before the vendor payload exceeds this value. This totals 29 bytes written before p_msg-\u003ep_vendor_data is copied. Using the old AVRC_MIN_CMD_LEN could allow an out-of-bounds write if vendor_len approaches the buffer limit. For commands where vendor_len is large, the original buffer allocation may be insufficient, causing writes beyond the allocated memory. This can lead to memory corruption, crashes, or other undefined behavior. The overflow could be larger when assertions are disabled."
}
],
"id": "CVE-2025-68474",
"lastModified": "2026-01-22T16:00:51.717",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-12-27T00:15:42.490",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/0b0b59f2e19cb99dfa1b28c284d1c5c1d276a132"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/565fa98d0cfd58102204c1cb636747e17ee59845"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/8262ee807d5cd425f66304f703eeb3382fb888c0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/a6c1bc5e3e91ad1cb964ce2c178ee40a5d10a4a0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/aa0e3d75db995b7137b55349fc92ee684b47092d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/b9ba1e29b65536ab4b670ac099585d09adce0376"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-43gh-7r4f-qp57"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-68473
Vulnerability from fkie_nvd - Published: 2025-12-27 00:15 - Updated: 2026-01-22 16:01
Severity ?
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the ESP-IDF Bluetooth host stack (BlueDroid), the function bta_dm_sdp_result() used a fixed-size array uuid_list[32][MAX_UUID_SIZE] to store discovered service UUIDs during the SDP (Service Discovery Protocol) process. On modern Bluetooth devices, it is possible for the number of available services to exceed this fixed limit (32). In such cases, if more than 32 services are discovered, subsequent writes to uuid_list could exceed the bounds of the array, resulting in a potential out-of-bounds write condition.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "90D991F0-A03E-44CF-9187-75897399797A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "37A040C2-E9D4-4678-9A10-74B5AEE4901D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AA4D9168-C8C1-4B1A-81C3-D4888DB36CAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7CA4F443-03D3-4B10-909E-A813F72BC08C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C84481DF-BAFA-4644-B5B1-1F9BB5F535E4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the ESP-IDF Bluetooth host stack (BlueDroid), the function bta_dm_sdp_result() used a fixed-size array uuid_list[32][MAX_UUID_SIZE] to store discovered service UUIDs during the SDP (Service Discovery Protocol) process. On modern Bluetooth devices, it is possible for the number of available services to exceed this fixed limit (32). In such cases, if more than 32 services are discovered, subsequent writes to uuid_list could exceed the bounds of the array, resulting in a potential out-of-bounds write condition."
}
],
"id": "CVE-2025-68473",
"lastModified": "2026-01-22T16:01:58.780",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 0.0,
"baseSeverity": "NONE",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-12-27T00:15:42.323",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/3286e45349b0b5c2b1422ef7e8d088b95eef895d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/4d928f2265c394d2abc85024228e920a5b26bcab"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/5b3185168dae83d42aa0852689422fffd931f16c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/6453f57a954458ad8ffd6e4bf2d9e76b73fac0f1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/6ca6f422dafaffcb88fa56cc458ce92d96be3b2e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/9889edd799cf369e082df9d01adba961d64693ed"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/ecb86d353640cf1375bf97db32e702ba59c551b6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory",
"Mitigation"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hmjj-rjvv-w8pq"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-55297
Vulnerability from fkie_nvd - Published: 2025-08-21 15:15 - Updated: 2026-01-22 16:04
Severity ?
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. The BluFi example bundled in ESP-IDF was vulnerable to memory overflows in two areas: Wi-Fi credential handling and Diffie–Hellman key exchange. This vulnerability is fixed in 5.4.1, 5.3.3, 5.1.6, and 5.0.9.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F1113E3-FC3F-4B03-979A-6596C9CADECD",
"versionEndExcluding": "5.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "388091CC-A010-4425-9008-C145C982BE47",
"versionEndExcluding": "5.1.6",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1AE357AE-5881-4F66-B855-963112D65190",
"versionEndExcluding": "5.3.3",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB4180D3-631E-42A5-95BC-CC5E70013B85",
"versionEndExcluding": "5.4.1",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. The BluFi example bundled in ESP-IDF was vulnerable to memory overflows in two areas: Wi-Fi credential handling and Diffie\u2013Hellman key exchange. This vulnerability is fixed in 5.4.1, 5.3.3, 5.1.6, and 5.0.9."
},
{
"lang": "es",
"value": "ESF-IDF es el framework de desarrollo de Espressif para Internet of Things (IoT). El ejemplo BluFi incluido en ESP-IDF era vulnerable a desbordamientos de memoria en dos \u00e1reas: gesti\u00f3n de credenciales Wi-Fi e intercambio de claves Diffie-Hellman. Esta vulnerabilidad se ha corregido en las versiones 5.4.1, 5.3.3, 5.1.6 y 5.0.9."
}
],
"id": "CVE-2025-55297",
"lastModified": "2026-01-22T16:04:06.620",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-08-21T15:15:33.717",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/12b7a9e6d78012ab9184b7ccdb5524364bf7e345"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/3fc6c93936077cb1659e1f0e0268e62cf6423e9d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/5f93ec3b11b6115475c34de57093b3672d594e8f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/9cb7206d4ae8fd8f4296cd57d6c78a1656f42efa"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/abc18e93eb3500dbec74c3e589671ef82c8b3919"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/b1657d9dd4d0e48ed25e02cb8fe8413f479a2a84"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/bf50c0c197af30990026c8f8286298d2aa5a3c99"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/cb6929a2e6f2ff130b742332dc15eb23006c7cc9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/cc00e9f2fc4f7e8fbaff27851b4a8b45fa483501"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/e65cf7ea2a2be52219ec9d4efc44aed5e490e91c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/f40aa9c587a8e570dfde2e6330382dcd170d5a5d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/f77da0d5b5382635c99e6708551b73802ad1213d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9w88-r2vm-qfc4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-120"
},
{
"lang": "en",
"value": "CWE-131"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-52471
Vulnerability from fkie_nvd - Published: 2025-06-24 20:15 - Updated: 2026-01-22 16:05
Severity ?
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "90D991F0-A03E-44CF-9187-75897399797A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "AFFE82AE-24D5-4EF1-8A31-0965A8355F8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "96ED2D39-F568-4F63-B475-6F8F5D8E90EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1AB79292-C9AD-4F49-8644-00736AE0FE78",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation."
},
{
"lang": "es",
"value": "ESF-IDF es el framework de desarrollo de Espressif para el Internet de las Cosas (IoT). Se ha identificado una vulnerabilidad de subdesbordamiento de enteros en la implementaci\u00f3n del protocolo ESP-NOW dentro del componente Wi-Fi ESP de las versiones 5.4.1, 5.3.3, 5.2.5 y 5.1.6 del marco ESP-IDF. Este problema se debe a una validaci\u00f3n insuficiente de la longitud de los datos proporcionados por el usuario en la funci\u00f3n de recepci\u00f3n de paquetes. En determinadas circunstancias, esto puede provocar accesos a memoria fuera de los l\u00edmites y permitir operaciones de escritura arbitrarias. En sistemas sin un esquema de protecci\u00f3n de memoria, este comportamiento podr\u00eda utilizarse para lograr la ejecuci\u00f3n remota de c\u00f3digo (RCE) en el dispositivo de destino. En las versiones 5.4.2, 5.3.4, 5.2.6 y 5.1.6, ESP-NOW ha a\u00f1adido una l\u00f3gica de validaci\u00f3n m\u00e1s completa sobre la longitud de los datos proporcionados por el usuario durante la recepci\u00f3n de paquetes para evitar el subdesbordamiento de enteros causado por c\u00e1lculos de valores negativos. Para ESP-IDF v5.3 y versiones anteriores, se puede aplicar una soluci\u00f3n alternativa validando que el par\u00e1metro `data_len` recibido en la devoluci\u00f3n de llamada RX (registrado mediante `esp_now_register_recv_cb()`) sea un valor positivo antes de continuar con el procesamiento. Para ESP-IDF v5.4 y versiones posteriores, no hay ninguna soluci\u00f3n alternativa a nivel de aplicaci\u00f3n. Se recomienda a los usuarios actualizar a una versi\u00f3n parcheada de ESP-IDF para aprovechar la mitigaci\u00f3n integrada."
}
],
"id": "CVE-2025-52471",
"lastModified": "2026-01-22T16:05:44.083",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-06-24T20:15:26.033",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/b1a379d57430d265a53aca13d59ddfbf2e7ac409"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/c5fc81917805f99e687c81cc56b68dc5df7ef8b5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/d4dafbdc3572387cd4f9a62b776580bc4ac3bde7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/d6ec5a52255b17c1d6ef379e89f9de2c379042f8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/df7757d8279871fa7a2f42ef3962c6c1ec88b8a2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/espressif/esp-idf/commit/edc227c5eaeced999b5212943a9434379f8aad80"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory",
"Patch"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hqhh-cp47-fv5g"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-191"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-53406
Vulnerability from fkie_nvd - Published: 2025-03-13 17:15 - Updated: 2025-12-31 01:04
Severity ?
Summary
Espressif Esp idf v5.3.0 is vulnerable to Insecure Permissions resulting in Authentication bypass. In the reconnection phase, the device reuses the session key from a previous connection session, creating an opportunity for attackers to execute security bypass attacks.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.3:-:*:*:*:*:*:*",
"matchCriteriaId": "BC716504-A656-4F00-9FB7-835AB4068786",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Espressif Esp idf v5.3.0 is vulnerable to Insecure Permissions resulting in Authentication bypass. In the reconnection phase, the device reuses the session key from a previous connection session, creating an opportunity for attackers to execute security bypass attacks."
},
{
"lang": "es",
"value": "Espressif Esp idf v5.3.0 es vulnerable a permisos inseguros, lo que resulta en la omisi\u00f3n de la autenticaci\u00f3n. Durante la fase de reconexi\u00f3n, el dispositivo reutiliza la clave de sesi\u00f3n de una sesi\u00f3n anterior, lo que permite a los atacantes ejecutar ataques de omisi\u00f3n de seguridad."
}
],
"id": "CVE-2024-53406",
"lastModified": "2025-12-31T01:04:08.637",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-03-13T17:15:33.410",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://github.com/yangting111/BLE_TEST/blob/main/result/PoC/Esp/sk_reuse.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-51428
Vulnerability from fkie_nvd - Published: 2024-11-07 18:15 - Updated: 2026-01-14 15:42
Severity ?
Summary
An issue in Espressif Esp idf v5.3.0 allows attackers to cause a Denial of Service (DoS) via a crafted data channel packet.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.3:-:*:*:*:*:*:*",
"matchCriteriaId": "BC716504-A656-4F00-9FB7-835AB4068786",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in Espressif Esp idf v5.3.0 allows attackers to cause a Denial of Service (DoS) via a crafted data channel packet."
},
{
"lang": "es",
"value": "Un problema en Espressif Esp idf v5.3.0 permite a los atacantes provocar una denegaci\u00f3n de servicio (DoS) a trav\u00e9s de un paquete de canal de datos creado."
}
],
"id": "CVE-2024-51428",
"lastModified": "2026-01-14T15:42:13.277",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-11-07T18:15:17.677",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gitee.com/guozhi123456/vulnerability-Report/blob/master/Esp/Accept_Invaild_Address.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/espressif/esp-idf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-33453
Vulnerability from fkie_nvd - Published: 2024-10-17 22:15 - Updated: 2025-12-31 01:16
Severity ?
Summary
Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to obtain sensitive information via the externalId component.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/Ant1sec-ops/CVE-2024-33453 | Mitigation, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CB91E5B4-D5FF-4B61-9F70-F94A3B7925A8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to obtain sensitive information via the externalId component."
},
{
"lang": "es",
"value": "La vulnerabilidad de desbordamiento de b\u00fafer en esp-idf v.5.1 permite a un atacante remoto obtener informaci\u00f3n confidencial a trav\u00e9s del componente externalId."
}
],
"id": "CVE-2024-33453",
"lastModified": "2025-12-31T01:16:35.170",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-10-17T22:15:03.040",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/Ant1sec-ops/CVE-2024-33453"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-120"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-33454
Vulnerability from fkie_nvd - Published: 2024-05-14 15:37 - Updated: 2025-12-31 01:16
Severity ?
Summary
Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the Bluetooth stack component.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://gist.github.com/Zakary-D/30f565c4266c02c62aa9089c363e78e9 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gist.github.com/Zakary-D/30f565c4266c02c62aa9089c363e78e9 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CB91E5B4-D5FF-4B61-9F70-F94A3B7925A8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the Bluetooth stack component."
},
{
"lang": "es",
"value": "La vulnerabilidad de desbordamiento de b\u00fafer en esp-idf v.5.1 permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s de un script manipulado en el componente de la pila Bluetooth."
}
],
"id": "CVE-2024-33454",
"lastModified": "2025-12-31T01:16:27.710",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-05-14T15:37:41.710",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/Zakary-D/30f565c4266c02c62aa9089c363e78e9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/Zakary-D/30f565c4266c02c62aa9089c363e78e9"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-120"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
CVE-2025-68474 (GCVE-0-2025-68474)
Vulnerability from cvelistv5 – Published: 2025-12-26 23:57 – Updated: 2025-12-29 16:51
VLAI?
Title
ESF-IDF Has Out-of-Bounds Write in ESP32 Bluetooth AVRCP Vendor Command Handling
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the avrc_vendor_msg() function of the ESP-IDF BlueDroid AVRCP stack, the allocated buffer size was validated using AVRC_MIN_CMD_LEN (20 bytes). However, the actual fixed header data written before the vendor payload exceeds this value. This totals 29 bytes written before p_msg->p_vendor_data is copied. Using the old AVRC_MIN_CMD_LEN could allow an out-of-bounds write if vendor_len approaches the buffer limit. For commands where vendor_len is large, the original buffer allocation may be insufficient, causing writes beyond the allocated memory. This can lead to memory corruption, crashes, or other undefined behavior. The overflow could be larger when assertions are disabled.
Severity ?
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68474",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T16:43:54.191900Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T16:51:36.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.5-beta1, \u003c= 5.5.1"
},
{
"status": "affected",
"version": "\u003e= 5.4-beta1, \u003c= 5.4.3"
},
{
"status": "affected",
"version": "\u003e= 5.3-beta1, \u003c= 5.3.4"
},
{
"status": "affected",
"version": "\u003e= 5.2-beta1, \u003c= 5.2.6"
},
{
"status": "affected",
"version": "\u003c= 5.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the avrc_vendor_msg() function of the ESP-IDF BlueDroid AVRCP stack, the allocated buffer size was validated using AVRC_MIN_CMD_LEN (20 bytes). However, the actual fixed header data written before the vendor payload exceeds this value. This totals 29 bytes written before p_msg-\u003ep_vendor_data is copied. Using the old AVRC_MIN_CMD_LEN could allow an out-of-bounds write if vendor_len approaches the buffer limit. For commands where vendor_len is large, the original buffer allocation may be insufficient, causing writes beyond the allocated memory. This can lead to memory corruption, crashes, or other undefined behavior. The overflow could be larger when assertions are disabled."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T23:57:54.853Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-43gh-7r4f-qp57",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-43gh-7r4f-qp57"
},
{
"name": "https://github.com/espressif/esp-idf/commit/0b0b59f2e19cb99dfa1b28c284d1c5c1d276a132",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/0b0b59f2e19cb99dfa1b28c284d1c5c1d276a132"
},
{
"name": "https://github.com/espressif/esp-idf/commit/565fa98d0cfd58102204c1cb636747e17ee59845",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/565fa98d0cfd58102204c1cb636747e17ee59845"
},
{
"name": "https://github.com/espressif/esp-idf/commit/8262ee807d5cd425f66304f703eeb3382fb888c0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/8262ee807d5cd425f66304f703eeb3382fb888c0"
},
{
"name": "https://github.com/espressif/esp-idf/commit/a6c1bc5e3e91ad1cb964ce2c178ee40a5d10a4a0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/a6c1bc5e3e91ad1cb964ce2c178ee40a5d10a4a0"
},
{
"name": "https://github.com/espressif/esp-idf/commit/aa0e3d75db995b7137b55349fc92ee684b47092d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/aa0e3d75db995b7137b55349fc92ee684b47092d"
},
{
"name": "https://github.com/espressif/esp-idf/commit/b9ba1e29b65536ab4b670ac099585d09adce0376",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/b9ba1e29b65536ab4b670ac099585d09adce0376"
}
],
"source": {
"advisory": "GHSA-43gh-7r4f-qp57",
"discovery": "UNKNOWN"
},
"title": "ESF-IDF Has Out-of-Bounds Write in ESP32 Bluetooth AVRCP Vendor Command Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68474",
"datePublished": "2025-12-26T23:57:54.853Z",
"dateReserved": "2025-12-18T13:52:15.491Z",
"dateUpdated": "2025-12-29T16:51:36.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68473 (GCVE-0-2025-68473)
Vulnerability from cvelistv5 – Published: 2025-12-26 23:54 – Updated: 2025-12-29 16:51
VLAI?
Title
ESF-IDF Has Out-of-Bounds Read in ESP32 Bluetooth SDP Result Handling
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the ESP-IDF Bluetooth host stack (BlueDroid), the function bta_dm_sdp_result() used a fixed-size array uuid_list[32][MAX_UUID_SIZE] to store discovered service UUIDs during the SDP (Service Discovery Protocol) process. On modern Bluetooth devices, it is possible for the number of available services to exceed this fixed limit (32). In such cases, if more than 32 services are discovered, subsequent writes to uuid_list could exceed the bounds of the array, resulting in a potential out-of-bounds write condition.
Severity ?
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68473",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T16:44:09.956137Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T16:51:42.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.5-beta1, \u003c= 5.5.1"
},
{
"status": "affected",
"version": "\u003e= 5.4-beta1, \u003c= 5.4.3"
},
{
"status": "affected",
"version": "\u003e= 5.3-beta1, \u003c= 5.3.4"
},
{
"status": "affected",
"version": "\u003e= 5.2-beta1, \u003c= 5.2.6"
},
{
"status": "affected",
"version": "\u003c= 5.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the ESP-IDF Bluetooth host stack (BlueDroid), the function bta_dm_sdp_result() used a fixed-size array uuid_list[32][MAX_UUID_SIZE] to store discovered service UUIDs during the SDP (Service Discovery Protocol) process. On modern Bluetooth devices, it is possible for the number of available services to exceed this fixed limit (32). In such cases, if more than 32 services are discovered, subsequent writes to uuid_list could exceed the bounds of the array, resulting in a potential out-of-bounds write condition."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T23:54:47.709Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hmjj-rjvv-w8pq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hmjj-rjvv-w8pq"
},
{
"name": "https://github.com/espressif/esp-idf/commit/3286e45349b0b5c2b1422ef7e8d088b95eef895d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/3286e45349b0b5c2b1422ef7e8d088b95eef895d"
},
{
"name": "https://github.com/espressif/esp-idf/commit/4d928f2265c394d2abc85024228e920a5b26bcab",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/4d928f2265c394d2abc85024228e920a5b26bcab"
},
{
"name": "https://github.com/espressif/esp-idf/commit/5b3185168dae83d42aa0852689422fffd931f16c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/5b3185168dae83d42aa0852689422fffd931f16c"
},
{
"name": "https://github.com/espressif/esp-idf/commit/6453f57a954458ad8ffd6e4bf2d9e76b73fac0f1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/6453f57a954458ad8ffd6e4bf2d9e76b73fac0f1"
},
{
"name": "https://github.com/espressif/esp-idf/commit/6ca6f422dafaffcb88fa56cc458ce92d96be3b2e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/6ca6f422dafaffcb88fa56cc458ce92d96be3b2e"
},
{
"name": "https://github.com/espressif/esp-idf/commit/9889edd799cf369e082df9d01adba961d64693ed",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/9889edd799cf369e082df9d01adba961d64693ed"
},
{
"name": "https://github.com/espressif/esp-idf/commit/ecb86d353640cf1375bf97db32e702ba59c551b6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/ecb86d353640cf1375bf97db32e702ba59c551b6"
}
],
"source": {
"advisory": "GHSA-hmjj-rjvv-w8pq",
"discovery": "UNKNOWN"
},
"title": "ESF-IDF Has Out-of-Bounds Read in ESP32 Bluetooth SDP Result Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68473",
"datePublished": "2025-12-26T23:54:47.709Z",
"dateReserved": "2025-12-18T13:52:15.491Z",
"dateUpdated": "2025-12-29T16:51:42.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66409 (GCVE-0-2025-66409)
Vulnerability from cvelistv5 – Published: 2025-12-02 18:09 – Updated: 2025-12-02 18:46
VLAI?
Title
ESF-IDF has an Out-of-Bounds Read in ESP32 Bluetooth AVRCP Command Handling
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, when AVRCP is enabled on ESP32, receiving a malformed VENDOR DEPENDENT command from a peer device can cause the Bluetooth stack to access memory before validating the command buffer length. This may lead to an out-of-bounds read, potentially exposing unintended memory content or causing unexpected behavior.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T18:43:14.641038Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T18:46:18.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.5-beta1, \u003c= 5.5.1"
},
{
"status": "affected",
"version": "\u003e= 5.4-beta1, \u003c= 5.4.3"
},
{
"status": "affected",
"version": "\u003e= 5.3-beta1, \u003c= 5.3.4"
},
{
"status": "affected",
"version": "\u003e= 5.2-beta1, \u003c= 5.2.6"
},
{
"status": "affected",
"version": "\u003c= 5.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, when AVRCP is enabled on ESP32, receiving a malformed VENDOR DEPENDENT command from a peer device can cause the Bluetooth stack to access memory before validating the command buffer length. This may lead to an out-of-bounds read, potentially exposing unintended memory content or causing unexpected behavior."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T18:09:03.069Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-qhf9-vr2h-jh96",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-qhf9-vr2h-jh96"
},
{
"name": "https://github.com/espressif/esp-idf/commit/075ed218cadb8088155521cd8a795d8a626519fb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/075ed218cadb8088155521cd8a795d8a626519fb"
},
{
"name": "https://github.com/espressif/esp-idf/commit/2f788e59ee361eee230879ae2ec9cf5c893fe372",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/2f788e59ee361eee230879ae2ec9cf5c893fe372"
},
{
"name": "https://github.com/espressif/esp-idf/commit/798029129a71c802cff0e75eb59f902bca8f1946",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/798029129a71c802cff0e75eb59f902bca8f1946"
},
{
"name": "https://github.com/espressif/esp-idf/commit/999710fccf95ae128fe51b5679d6b7c75c50d902",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/999710fccf95ae128fe51b5679d6b7c75c50d902"
},
{
"name": "https://github.com/espressif/esp-idf/commit/d5db5f60fc1dcfdd8cd3ee898fdefaa272988ace",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/d5db5f60fc1dcfdd8cd3ee898fdefaa272988ace"
},
{
"name": "https://github.com/espressif/esp-idf/commit/daeeba230327176b9627b1caa94acdc54065c4b7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/daeeba230327176b9627b1caa94acdc54065c4b7"
}
],
"source": {
"advisory": "GHSA-qhf9-vr2h-jh96",
"discovery": "UNKNOWN"
},
"title": "ESF-IDF has an Out-of-Bounds Read in ESP32 Bluetooth AVRCP Command Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66409",
"datePublished": "2025-12-02T18:09:03.069Z",
"dateReserved": "2025-11-28T23:33:56.365Z",
"dateUpdated": "2025-12-02T18:46:18.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65092 (GCVE-0-2025-65092)
Vulnerability from cvelistv5 – Published: 2025-11-21 21:33 – Updated: 2025-11-21 21:56
VLAI?
Title
ESP32-P4 JPEG Decoder Header Parsing Vulnerability
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, and 5.3.4, when the ESP32-P4 uses its hardware JPEG decoder, the software parser lacks necessary validation checks. A specially crafted (malicious) JPEG image could exploit the parsing routine and trigger an out-of-bounds array access. This issue has been fixed in versions 5.5.2, 5.4.4, and 5.3.5. At time of publication versions 5.5.2, 5.4.4, and 5.3.5 have not been released but are fixed respectively in commits 4b8f585, c79cb4d, and 34e2726.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-21T21:56:06.906288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T21:56:26.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "= 5.5.1"
},
{
"status": "affected",
"version": "= 5.4.3"
},
{
"status": "affected",
"version": "= 5.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, and 5.3.4, when the ESP32-P4 uses its hardware JPEG decoder, the software parser lacks necessary validation checks. A specially crafted (malicious) JPEG image could exploit the parsing routine and trigger an out-of-bounds array access. This issue has been fixed in versions 5.5.2, 5.4.4, and 5.3.5. At time of publication versions 5.5.2, 5.4.4, and 5.3.5 have not been released but are fixed respectively in commits 4b8f585, c79cb4d, and 34e2726."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T21:33:03.656Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-vcw6-jc3p-4gj8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-vcw6-jc3p-4gj8"
},
{
"name": "https://github.com/espressif/esp-idf/commit/34e2726254201988e6e2752b2db4b70d73964d4c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/34e2726254201988e6e2752b2db4b70d73964d4c"
},
{
"name": "https://github.com/espressif/esp-idf/commit/4b8f5859dbe05d15372558f8a950b49f6ee44e42",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/4b8f5859dbe05d15372558f8a950b49f6ee44e42"
},
{
"name": "https://github.com/espressif/esp-idf/commit/c38a6691b9845ac6ee0d0f6713783114770cdc17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/c38a6691b9845ac6ee0d0f6713783114770cdc17"
},
{
"name": "https://github.com/espressif/esp-idf/commit/c79cb4de468854937a0cbf82629fd65d04bffb27",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/c79cb4de468854937a0cbf82629fd65d04bffb27"
}
],
"source": {
"advisory": "GHSA-vcw6-jc3p-4gj8",
"discovery": "UNKNOWN"
},
"title": "ESP32-P4 JPEG Decoder Header Parsing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65092",
"datePublished": "2025-11-21T21:33:03.656Z",
"dateReserved": "2025-11-17T20:55:34.691Z",
"dateUpdated": "2025-11-21T21:56:26.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64342 (GCVE-0-2025-64342)
Vulnerability from cvelistv5 – Published: 2025-11-17 17:21 – Updated: 2025-11-17 21:04
VLAI?
Title
ESF-IDF's ESP32 Bluetooth Controller Has an Invalid Access Address Vulnerability
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. When the ESP32 is in advertising mode, if it receives a connection request containing an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, advertising may stop unexpectedly. In this case, the controller may incorrectly report a connection event to the host, which can cause the application layer to assume that the device has successfully established a connection. This issue has been fixed in versions 5.5.2, 5.4.3, 5.3.5, 5.2.6, and 5.1.7. At time of publication versions 5.5.2, 5.3.5, and 5.1.7 have not been released but are fixed respectively in commits 3b95b50, e3d7042, and 75967b5.
Severity ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64342",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-17T21:03:18.603291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T21:04:07.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.5-beta1, \u003c 5.5.2"
},
{
"status": "affected",
"version": "\u003e= 5.4-beta1, \u003c 5.4.3"
},
{
"status": "affected",
"version": "\u003e= 5.3-beta1, \u003c 5.3.5"
},
{
"status": "affected",
"version": "\u003e= 5.2-beta1, \u003c 5.2.6"
},
{
"status": "affected",
"version": "\u003c 5.1.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. When the ESP32 is in advertising mode, if it receives a connection request containing an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, advertising may stop unexpectedly. In this case, the controller may incorrectly report a connection event to the host, which can cause the application layer to assume that the device has successfully established a connection. This issue has been fixed in versions 5.5.2, 5.4.3, 5.3.5, 5.2.6, and 5.1.7. At time of publication versions 5.5.2, 5.3.5, and 5.1.7 have not been released but are fixed respectively in commits 3b95b50, e3d7042, and 75967b5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T17:21:01.773Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-8mg7-9qpg-p92v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-8mg7-9qpg-p92v"
},
{
"name": "https://github.com/espressif/esp-idf/commit/309f031dd6b04de30c926a256508c65b0df95dfa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/309f031dd6b04de30c926a256508c65b0df95dfa"
},
{
"name": "https://github.com/espressif/esp-idf/commit/3b95b50703cd3301a370cffaa1cc299b1941fe2a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/3b95b50703cd3301a370cffaa1cc299b1941fe2a"
},
{
"name": "https://github.com/espressif/esp-idf/commit/75967b578563ea7876dc215251cbb6d64bc9d768",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/75967b578563ea7876dc215251cbb6d64bc9d768"
},
{
"name": "https://github.com/espressif/esp-idf/commit/8ec541023684d33b498fa21c5b4724bce748aa7b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/8ec541023684d33b498fa21c5b4724bce748aa7b"
},
{
"name": "https://github.com/espressif/esp-idf/commit/bf66761962579f73aea682d1154b9c99b9d3d7dc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/bf66761962579f73aea682d1154b9c99b9d3d7dc"
},
{
"name": "https://github.com/espressif/esp-idf/commit/e3d70429566ece1ef593d36aa4ebd320e0c95925",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/e3d70429566ece1ef593d36aa4ebd320e0c95925"
}
],
"source": {
"advisory": "GHSA-8mg7-9qpg-p92v",
"discovery": "UNKNOWN"
},
"title": "ESF-IDF\u0027s ESP32 Bluetooth Controller Has an Invalid Access Address Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64342",
"datePublished": "2025-11-17T17:21:01.773Z",
"dateReserved": "2025-10-30T17:40:52.031Z",
"dateUpdated": "2025-11-17T21:04:07.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55297 (GCVE-0-2025-55297)
Vulnerability from cvelistv5 – Published: 2025-08-21 15:05 – Updated: 2025-08-22 11:32
VLAI?
Title
ESF-IDF BluFi Example Memory Overflow Vulnerability
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. The BluFi example bundled in ESP-IDF was vulnerable to memory overflows in two areas: Wi-Fi credential handling and Diffie–Hellman key exchange. This vulnerability is fixed in 5.4.1, 5.3.3, 5.1.6, and 5.0.9.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55297",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-22T11:32:27.655323Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T11:32:48.470Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.9"
},
{
"status": "affected",
"version": "\u003e= 5.1-beta1, \u003c 5.1.6"
},
{
"status": "affected",
"version": "\u003e= 5.2-beta1, \u003c 5.3.3"
},
{
"status": "affected",
"version": "\u003e= 5.4-beta1, \u003c 5.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. The BluFi example bundled in ESP-IDF was vulnerable to memory overflows in two areas: Wi-Fi credential handling and Diffie\u2013Hellman key exchange. This vulnerability is fixed in 5.4.1, 5.3.3, 5.1.6, and 5.0.9."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "CWE-131: Incorrect Calculation of Buffer Size",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T15:05:06.805Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9w88-r2vm-qfc4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9w88-r2vm-qfc4"
},
{
"name": "https://github.com/espressif/esp-idf/commit/12b7a9e6d78012ab9184b7ccdb5524364bf7e345",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/12b7a9e6d78012ab9184b7ccdb5524364bf7e345"
},
{
"name": "https://github.com/espressif/esp-idf/commit/3fc6c93936077cb1659e1f0e0268e62cf6423e9d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/3fc6c93936077cb1659e1f0e0268e62cf6423e9d"
},
{
"name": "https://github.com/espressif/esp-idf/commit/5f93ec3b11b6115475c34de57093b3672d594e8f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/5f93ec3b11b6115475c34de57093b3672d594e8f"
},
{
"name": "https://github.com/espressif/esp-idf/commit/9cb7206d4ae8fd8f4296cd57d6c78a1656f42efa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/9cb7206d4ae8fd8f4296cd57d6c78a1656f42efa"
},
{
"name": "https://github.com/espressif/esp-idf/commit/abc18e93eb3500dbec74c3e589671ef82c8b3919",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/abc18e93eb3500dbec74c3e589671ef82c8b3919"
},
{
"name": "https://github.com/espressif/esp-idf/commit/b1657d9dd4d0e48ed25e02cb8fe8413f479a2a84",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/b1657d9dd4d0e48ed25e02cb8fe8413f479a2a84"
},
{
"name": "https://github.com/espressif/esp-idf/commit/bf50c0c197af30990026c8f8286298d2aa5a3c99",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/bf50c0c197af30990026c8f8286298d2aa5a3c99"
},
{
"name": "https://github.com/espressif/esp-idf/commit/cb6929a2e6f2ff130b742332dc15eb23006c7cc9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/cb6929a2e6f2ff130b742332dc15eb23006c7cc9"
},
{
"name": "https://github.com/espressif/esp-idf/commit/cc00e9f2fc4f7e8fbaff27851b4a8b45fa483501",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/cc00e9f2fc4f7e8fbaff27851b4a8b45fa483501"
},
{
"name": "https://github.com/espressif/esp-idf/commit/e65cf7ea2a2be52219ec9d4efc44aed5e490e91c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/e65cf7ea2a2be52219ec9d4efc44aed5e490e91c"
},
{
"name": "https://github.com/espressif/esp-idf/commit/f40aa9c587a8e570dfde2e6330382dcd170d5a5d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/f40aa9c587a8e570dfde2e6330382dcd170d5a5d"
},
{
"name": "https://github.com/espressif/esp-idf/commit/f77da0d5b5382635c99e6708551b73802ad1213d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/f77da0d5b5382635c99e6708551b73802ad1213d"
}
],
"source": {
"advisory": "GHSA-9w88-r2vm-qfc4",
"discovery": "UNKNOWN"
},
"title": "ESF-IDF BluFi Example Memory Overflow Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55297",
"datePublished": "2025-08-21T15:05:06.805Z",
"dateReserved": "2025-08-12T16:15:30.238Z",
"dateUpdated": "2025-08-22T11:32:48.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52471 (GCVE-0-2025-52471)
Vulnerability from cvelistv5 – Published: 2025-06-24 19:53 – Updated: 2025-06-24 20:02
VLAI?
Title
ESP-NOW Integer Underflow Vulnerability Advisory
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation.
Severity ?
CWE
- CWE-191 - Integer Underflow (Wrap or Wraparound)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52471",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-24T20:02:03.737707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T20:02:18.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "= 5.4.1"
},
{
"status": "affected",
"version": "= 5.3.3"
},
{
"status": "affected",
"version": "= 5.2.5"
},
{
"status": "affected",
"version": "= 5.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T19:53:06.066Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hqhh-cp47-fv5g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hqhh-cp47-fv5g"
},
{
"name": "https://github.com/espressif/esp-idf/commit/b1a379d57430d265a53aca13d59ddfbf2e7ac409",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/b1a379d57430d265a53aca13d59ddfbf2e7ac409"
},
{
"name": "https://github.com/espressif/esp-idf/commit/c5fc81917805f99e687c81cc56b68dc5df7ef8b5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/c5fc81917805f99e687c81cc56b68dc5df7ef8b5"
},
{
"name": "https://github.com/espressif/esp-idf/commit/d4dafbdc3572387cd4f9a62b776580bc4ac3bde7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/d4dafbdc3572387cd4f9a62b776580bc4ac3bde7"
},
{
"name": "https://github.com/espressif/esp-idf/commit/d6ec5a52255b17c1d6ef379e89f9de2c379042f8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/d6ec5a52255b17c1d6ef379e89f9de2c379042f8"
},
{
"name": "https://github.com/espressif/esp-idf/commit/df7757d8279871fa7a2f42ef3962c6c1ec88b8a2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/df7757d8279871fa7a2f42ef3962c6c1ec88b8a2"
},
{
"name": "https://github.com/espressif/esp-idf/commit/edc227c5eaeced999b5212943a9434379f8aad80",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/edc227c5eaeced999b5212943a9434379f8aad80"
}
],
"source": {
"advisory": "GHSA-hqhh-cp47-fv5g",
"discovery": "UNKNOWN"
},
"title": "ESP-NOW Integer Underflow Vulnerability Advisory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52471",
"datePublished": "2025-06-24T19:53:06.066Z",
"dateReserved": "2025-06-17T02:28:39.716Z",
"dateUpdated": "2025-06-24T20:02:18.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53406 (GCVE-0-2024-53406)
Vulnerability from cvelistv5 – Published: 2025-03-13 00:00 – Updated: 2025-03-19 18:42
VLAI?
Summary
Espressif Esp idf v5.3.0 is vulnerable to Insecure Permissions resulting in Authentication bypass. In the reconnection phase, the device reuses the session key from a previous connection session, creating an opportunity for attackers to execute security bypass attacks.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T17:08:50.323042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T18:42:46.005Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Espressif Esp idf v5.3.0 is vulnerable to Insecure Permissions resulting in Authentication bypass. In the reconnection phase, the device reuses the session key from a previous connection session, creating an opportunity for attackers to execute security bypass attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T17:08:04.530Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/espressif/esp-idf"
},
{
"url": "https://github.com/yangting111/BLE_TEST/blob/main/result/PoC/Esp/sk_reuse.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-53406",
"datePublished": "2025-03-13T00:00:00.000Z",
"dateReserved": "2024-11-20T00:00:00.000Z",
"dateUpdated": "2025-03-19T18:42:46.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53845 (GCVE-0-2024-53845)
Vulnerability from cvelistv5 – Published: 2024-12-11 22:35 – Updated: 2024-12-12 16:35
VLAI?
Title
AES/CBC Constant IV Vulnerability in ESPTouch v2
Summary
ESPTouch is a connection protocol for internet of things devices. In the ESPTouchV2 protocol, while there is an option to use a custom AES key, there is no option to set the IV (Initialization Vector) prior to versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. The IV is set to zero and remains constant throughout the product's lifetime. In AES/CBC mode, if the IV is not properly initialized, the encrypted output becomes deterministic, leading to potential data leakage. To address the aforementioned issues, the application generates a random IV when activating the AES key starting in versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. This IV is then transmitted along with the provision data to the provision device. The provision device has also been equipped with a parser for the AES IV. The upgrade is applicable for all applications and users of ESPTouch v2 component from ESP-IDF. As it is implemented in the ESP Wi-Fi stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T16:34:50.853994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T16:35:00.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.3.0, \u003c 5.3.2"
},
{
"status": "affected",
"version": "\u003e= 5.2.0, \u003c 5.2.4"
},
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c 5.1.6"
},
{
"status": "affected",
"version": "\u003c 5.0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESPTouch is a connection protocol for internet of things devices. In the ESPTouchV2 protocol, while there is an option to use a custom AES key, there is no option to set the IV (Initialization Vector) prior to versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. The IV is set to zero and remains constant throughout the product\u0027s lifetime. In AES/CBC mode, if the IV is not properly initialized, the encrypted output becomes deterministic, leading to potential data leakage. To address the aforementioned issues, the application generates a random IV when activating the AES key starting in versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. This IV is then transmitted along with the provision data to the provision device. The provision device has also been equipped with a parser for the AES IV. The upgrade is applicable for all applications and users of ESPTouch v2 component from ESP-IDF. As it is implemented in the ESP Wi-Fi stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-909",
"description": "CWE-909: Missing Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T22:35:48.528Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-wm57-466g-mhrr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-wm57-466g-mhrr"
},
{
"name": "https://github.com/espressif/esp-idf/commit/4f85a2726e04b737c8646d865b44ddd837b703db",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/4f85a2726e04b737c8646d865b44ddd837b703db"
},
{
"name": "https://github.com/espressif/esp-idf/commit/8fb28dcedcc49916a5206456a3a61022d4302cd8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/8fb28dcedcc49916a5206456a3a61022d4302cd8"
},
{
"name": "https://github.com/espressif/esp-idf/commit/d47ed7d6f814e21c5bc8997ab0bc68e2360e5cb2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/d47ed7d6f814e21c5bc8997ab0bc68e2360e5cb2"
},
{
"name": "https://github.com/espressif/esp-idf/commit/de69895f38d563e22228f5ba23fffa02feabc3a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/de69895f38d563e22228f5ba23fffa02feabc3a9"
},
{
"name": "https://github.com/espressif/esp-idf/commit/fd224e83bbf133833638b277c767be7f7cdd97c7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/fd224e83bbf133833638b277c767be7f7cdd97c7"
},
{
"name": "https://github.com/EspressifApp/EsptouchForAndroid/tree/master/esptouch-v2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/EspressifApp/EsptouchForAndroid/tree/master/esptouch-v2"
},
{
"name": "https://github.com/EspressifApp/EsptouchForIOS/tree/master/EspTouchDemo/ESPTouchV2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/EspressifApp/EsptouchForIOS/tree/master/EspTouchDemo/ESPTouchV2"
},
{
"name": "https://github.com/espressif/esp-idf/tree/master/components/esp_wifi",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/tree/master/components/esp_wifi"
}
],
"source": {
"advisory": "GHSA-wm57-466g-mhrr",
"discovery": "UNKNOWN"
},
"title": "AES/CBC Constant IV Vulnerability in ESPTouch v2"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53845",
"datePublished": "2024-12-11T22:35:48.528Z",
"dateReserved": "2024-11-22T17:30:02.139Z",
"dateUpdated": "2024-12-12T16:35:00.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51428 (GCVE-0-2024-51428)
Vulnerability from cvelistv5 – Published: 2024-11-07 00:00 – Updated: 2024-11-08 16:57
VLAI?
Summary
An issue in Espressif Esp idf v5.3.0 allows attackers to cause a Denial of Service (DoS) via a crafted data channel packet.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:expressif:esp_idf:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "esp_idf",
"vendor": "expressif",
"versions": [
{
"status": "affected",
"version": "5.3.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-08T16:55:00.750179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T16:57:54.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in Espressif Esp idf v5.3.0 allows attackers to cause a Denial of Service (DoS) via a crafted data channel packet."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T17:22:00.764120",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/espressif/esp-idf"
},
{
"url": "https://gitee.com/guozhi123456/vulnerability-Report/blob/master/Esp/Accept_Invaild_Address.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-51428",
"datePublished": "2024-11-07T00:00:00",
"dateReserved": "2024-10-28T00:00:00",
"dateUpdated": "2024-11-08T16:57:54.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-33453 (GCVE-0-2024-33453)
Vulnerability from cvelistv5 – Published: 2024-10-17 00:00 – Updated: 2024-10-18 19:10
VLAI?
Summary
Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to obtain sensitive information via the externalId component.
Severity ?
8.1 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:espressif:esp-idf:5.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "5.1"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-33453",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-18T19:09:02.781606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T19:10:25.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to obtain sensitive information via the externalId component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T21:25:08.352533",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Ant1sec-ops/CVE-2024-33453"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-33453",
"datePublished": "2024-10-17T00:00:00",
"dateReserved": "2024-04-23T00:00:00",
"dateUpdated": "2024-10-18T19:10:25.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}