EUVD-2026-35914Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (GitHub_M) · only source for this CVE.
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp_http_server component. While parsing the client-supplied Sec-WebSocket-Protocol request header during the WebSocket handshake, the tokenisation result is dereferenced without a NULL check, so a malformed header value can crash the server before any application-level authentication runs. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.
AnalysisAI
Remote denial-of-service in Espressif ESP-IDF's esp_http_server WebSocket handshake allows unauthenticated attackers to crash IoT devices by sending a malformed Sec-WebSocket-Protocol header. The flaw (CWE-476 NULL-pointer dereference) is triggered pre-authentication during subprotocol negotiation and affects ESP-IDF 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0; no public exploit identified at time of analysis, though upstream commits disclose the exact vulnerable code path.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target device must run ESP-IDF 5.2.6, 5.3.5, 5.4.4, 5.5.4, or 6.0 with the esp_http_server component compiled in and WebSocket support enabled, and must expose its HTTP server on a network reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 7.5 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) accurately reflects an unauthenticated, low-complexity, network-reachable availability-only impact - exactly a remote DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same network as an ESP32 device running an esp_http_server WebSocket endpoint sends a single HTTP GET upgrade request with a malformed Sec-WebSocket-Protocol header (for example, a header whose tokenisation yields no first token). The server dereferences a NULL pointer during subprotocol matching and crashes the HTTP task, taking the device's management or telemetry interface offline until reboot or watchdog reset. … |
| Remediation | Upgrade ESP-IDF to a vendor-released patched version on the matching release branch: 5.2.7, 5.3.6, 5.4.5, 5.5.5, or 6.0.1, then rebuild and reflash affected devices (see https://github.com/espressif/esp-idf/security/advisories/GHSA-3j8v-xgrq-5vg8 and fix commits 00a2f7fb, 0dc4ee75, 37508ab9, 9fc0ca13, dc46dc51, f88a47e4). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all deployments running ESP-IDF versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, or 6.0 and identify which devices expose WebSocket endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Privilege escalation from REE to TEE in Espressif ESP-IDF 5.5.4 and 6.0 lets a low-privileged user-application caller ab
Heap buffer overflow in Espressif ESP-IDF's protocomm component allows adjacent-network attackers to corrupt heap memory
Out-of-bounds read in ESP-IDF's embedded DHCP server crashes or exposes heap memory on ESP32 devices operating in SoftAP
Out-of-bounds read in ESP-IDF's BlueDroid AVRCP vendor-command parser allows adjacent Bluetooth attackers with low privi
Share
External POC / Exploit Code
Leaving vuln.today