CVE-2026-25508

MEDIUM EPSS 10.5%
Published Feb 4, 20264mo ago · Modified Jun 17, 20262w ago
6.3 CVSS 3.1
Medium
Find Similar
Published Feb 4, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.

CVSS Details

Base Score
6.3
Exploitability
2.1
Impact
4.2
Vector string
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector Adjacent
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity Low
Availability High

Threat Intelligence

EPSS Exploit Probability
10.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 5

VendorProductVersionRange
espressifesp-idf5.1.6any
espressifesp-idf5.2.6any
espressifesp-idf5.3.4any
espressifesp-idf5.4.3any
espressifesp-idf5.5.2any

References 8

  • github.com https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9
    Patch
  • github.com https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7
    Patch
  • github.com https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70
    Patch
  • github.com https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6
    Patch
  • github.com https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf
    Patch
  • github.com https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663
    Patch
  • github.com https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63
    Patch
  • github.com https://github.com/espressif/esp-idf/security/advisories/GHSA-9j5x-rf36-54x9
    Third Party Advisory

Remediation

  • github.com https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9
    Patch
  • github.com https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7
    Patch
  • github.com https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70
    Patch
  • github.com https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6
    Patch
  • github.com https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf
    Patch
  • github.com https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663
    Patch
  • github.com https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63
    Patch