Skip to main content

ESP-IDF EUVD-2026-35914

| CVE-2026-45541 HIGH
NULL Pointer Dereference (CWE-476)
2026-06-10 GitHub_M
Denial Of Service Null Pointer Dereference Esp Idf
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (GitHub_M) · only source for this CVE.

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 10, 2026 - 01:51 vuln.today
Analysis Generated
Jun 10, 2026 - 01:51 vuln.today

DescriptionCVE.org

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp_http_server component. While parsing the client-supplied Sec-WebSocket-Protocol request header during the WebSocket handshake, the tokenisation result is dereferenced without a NULL check, so a malformed header value can crash the server before any application-level authentication runs. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.

AnalysisAI

Remote denial-of-service in Espressif ESP-IDF's esp_http_server WebSocket handshake allows unauthenticated attackers to crash IoT devices by sending a malformed Sec-WebSocket-Protocol header. The flaw (CWE-476 NULL-pointer dereference) is triggered pre-authentication during subprotocol negotiation and affects ESP-IDF 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0; no public exploit identified at time of analysis, though upstream commits disclose the exact vulnerable code path.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify reachable ESP32 device with HTTP server
Delivery
Send WebSocket upgrade with malformed Sec-WebSocket-Protocol header
Exploit
Trigger NULL-pointer dereference in httpd_ws_get_response_subprotocol
Execution
Crash esp_http_server task
Impact
Device loses HTTP/management availability until reboot
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target device must run ESP-IDF 5.2.6, 5.3.5, 5.4.4, 5.5.4, or 6.0 with the esp_http_server component compiled in and WebSocket support enabled, and must expose its HTTP server on a network reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 7.5 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) accurately reflects an unauthenticated, low-complexity, network-reachable availability-only impact - exactly a remote DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same network as an ESP32 device running an esp_http_server WebSocket endpoint sends a single HTTP GET upgrade request with a malformed Sec-WebSocket-Protocol header (for example, a header whose tokenisation yields no first token). The server dereferences a NULL pointer during subprotocol matching and crashes the HTTP task, taking the device's management or telemetry interface offline until reboot or watchdog reset. …
Remediation Upgrade ESP-IDF to a vendor-released patched version on the matching release branch: 5.2.7, 5.3.6, 5.4.5, 5.5.5, or 6.0.1, then rebuild and reflash affected devices (see https://github.com/espressif/esp-idf/security/advisories/GHSA-3j8v-xgrq-5vg8 and fix commits 00a2f7fb, 0dc4ee75, 37508ab9, 9fc0ca13, dc46dc51, f88a47e4). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all deployments running ESP-IDF versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, or 6.0 and identify which devices expose WebSocket endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-45328 HIGH
8.8 Jun 10

Privilege escalation from REE to TEE in Espressif ESP-IDF 5.5.4 and 6.0 lets a low-privileged user-application caller ab
CVE-2026-45542 HIGH
7.1 Jun 10

Heap buffer overflow in Espressif ESP-IDF's protocomm component allows adjacent-network attackers to corrupt heap memory
CVE-2026-45160 MEDIUM
6.5 Jun 10

Out-of-bounds read in ESP-IDF's embedded DHCP server crashes or exposes heap memory on ESP32 devices operating in SoftAP
CVE-2026-46532 MEDIUM
4.6 Jun 10

Out-of-bounds read in ESP-IDF's BlueDroid AVRCP vendor-command parser allows adjacent Bluetooth attackers with low privi

Share

EUVD-2026-35914 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy