What is the CVSS score of EUVD-2025-19059?

EUVD-2025-19059 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.6%.

Which versions of Esp Idf are affected by EUVD-2025-19059?

A critical vulnerability in Espressif's ESP-IDF framework (CVE-2025-52471) affects IoT devices using ESP-NOW protocol and could enable remote code execution on unpatched systems.. A patch is available.

How to fix or mitigate EUVD-2025-19059?

Within 24 hours: Inventory all deployed ESP-IDF devices and identify affected versions; notify development and operations teams. Within 7 days: Apply available patches (5.4.2, 5.3.4, 5.2.6, or 5.1.7) to development/test environments and validate functionality. Within 30 days: Complete production deployment of patched firmware versions across all ESP-NOW enabled IoT devices; document patch compliance and maintain update records.

Esp Idf EUVD-2025-19059

| CVE-2025-52471 CRITICAL

Integer Underflow (CWE-191)

2025-06-24 security-advisories@github.com

RCE Esp Idf

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 22:36 euvd

EUVD-2025-19059

Analysis Generated

Mar 15, 2026 - 22:36 vuln.today

Patch released

Mar 15, 2026 - 22:36 nvd

Patch available

CVE Published

Jun 24, 2025 - 20:15 nvd

CRITICAL 9.8

DescriptionGitHub Advisory

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the data_len parameter received in the RX callback (registered via esp_now_register_recv_cb()) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation.

AnalysisAI

A security vulnerability in the ESP-NOW protocol implementation within the ESP Wi-Fi component of (CVSS 9.8). Critical severity with potential for significant impact on affected systems. Vendor patch is available.

Technical ContextAI

CWE-191 (Integer Underflow). CVSS 9.8 indicates critical severity with likely remote exploitation vector. Affects the ESP-NOW protocol implementation within the ESP Wi-Fi component of.