SB2026051362 - Multiple vulnerabilities in ESP-IDF
Published: May 13, 2026 Updated: May 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2026-45329)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in ESP-TEE secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c when processing caller-supplied pointer arguments. A remote attacker can supply pointers into TEE-exclusive memory to disclose sensitive information.
The issue crosses the REE/TEE isolation boundary and can expose TEE code and data, including cryptographic keys, through repeated calls that may return raw bytes, derived results, or oracle-like disclosure.
2) Out-of-bounds write (CVE-ID: CVE-2026-45328)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to out-of-bounds write in secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c when processing caller-supplied pointer arguments for secure service calls. A remote attacker can supply crafted pointers that target TEE-resident memory to execute arbitrary code.
Exploitation requires local code execution in the REE and can break the REE/TEE isolation boundary.
3) NULL pointer dereference (CVE-ID: CVE-2026-45541)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to null pointer dereference in httpd_ws_get_response_subprotocol() in the esp_http_server component when parsing the client-supplied Sec-WebSocket-Protocol header during the WebSocket handshake. A remote attacker can send a malformed header value to cause a denial of service.
The issue is reachable only when WebSocket support is enabled and at least one registered WebSocket URI handler performs subprotocol negotiation by supplying a non-NULL supported_subprotocol.
4) Heap-based buffer overflow (CVE-ID: CVE-2026-45542)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to heap-based buffer overflow in handle_session_command0() in components/protocomm/src/security/security2.c when processing a client-supplied SRP6a username field during Security Scheme 2 session setup over Bluetooth Low Energy. A remote attacker can send an oversized protobuf username field to cause a denial of service.
The issue is reachable before any SRP6a credential check and affects only the NimBLE BLE transport with Security Scheme 2 enabled.
Remediation
Install update from vendor's website.
References
- https://github.com/espressif/esp-idf/security/advisories/GHSA-w82j-7q63-7pqm
- https://github.com/espressif/esp-idf/commit/145ba4c42dc8283054cfde9a1c3470db7399192f
- https://github.com/espressif/esp-idf/security/advisories/GHSA-mmgp-73p4-92xp
- https://github.com/espressif/esp-idf/security/advisories/GHSA-3j8v-xgrq-5vg8
- https://github.com/espressif/esp-idf/commit/9fc0ca13b3b85b98d32b98cd9dc8ff9d82642b7b
- https://github.com/espressif/esp-idf/security/advisories/GHSA-9r76-858f-v6jh
- https://github.com/espressif/esp-idf/commit/a2f4554f10ba075c98cbc67464db096ba32497cf