Skip to main content

ESP-IDF EUVD-2026-35915

| CVE-2026-45160 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-10 GitHub_M
Information Disclosure Buffer Overflow Esp Idf
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (GitHub_M) · only source for this CVE.

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 10, 2026 - 01:54 vuln.today
Analysis Generated
Jun 10, 2026 - 01:54 vuln.today

DescriptionCVE.org

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.7, 5.3.5, 5.4.4, 5.5.4, and 6.0.1, an out-of-bounds read flaw exists in the DHCP server option parser (parse_options() in components/lwip/apps/dhcpserver/dhcpserver.c) shipped with ESP-IDF's lwIP component. The parser walks the BOOTP/DHCP options field without validating that each option's length byte and declared payload length stay within the received packet buffer. A crafted DHCP request can cause the parser to read past the end of the options buffer into adjacent heap memory. The issue affects the DHCP server used by ESP-IDF's SoftAP and any configuration where the device runs as a DHCP server on a local network. This issue has been patched in versions 5.2.8, 5.3.6, 5.4.5, 5.5.5, and 6.0.2.

AnalysisAI

Out-of-bounds read in ESP-IDF's embedded DHCP server crashes or exposes heap memory on ESP32 devices operating in SoftAP or DHCP server mode. The parse_options() function in the bundled lwIP DHCP server component walks BOOTP/DHCP option TLV fields without validating that each option's declared length stays within the received packet buffer, allowing an adjacent-network unauthenticated attacker to trigger a device crash by sending a single crafted DHCP request. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect to target ESP32 SoftAP BSS or shared L2 segment
Delivery
Craft DHCP request with malformed options TLV (oversized length byte)
Exploit
Transmit packet to device DHCP server (UDP/67)
Execution
parse_options() reads past options buffer end into heap
Impact
Out-of-bounds heap read triggers device crash (DoS)
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target ESP32 device must be running firmware built with an affected ESP-IDF version (5.2.7, 5.3.5, 5.4.4, 5.5.4, or 6.0.1) AND must have SoftAP mode enabled or be explicitly configured as a DHCP server on a local network interface - devices operating solely as Wi-Fi station clients are not running the vulnerable DHCP server and are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 score with vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H accurately captures the primary denial-of-service risk: adjacent-network, unauthenticated, zero-complexity exploitation causing high availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker within Wi-Fi range of an ESP32 device operating in SoftAP mode connects to its BSS and transmits a crafted DHCP DISCOVER or REQUEST packet whose options field contains a TLV entry with a length byte set to a value that extends the declared payload beyond the end of the received UDP buffer. The unpatched `parse_options()` advances its pointer past the buffer boundary, reading adjacent heap memory; depending on heap layout, this results in a crash (DoS) and potentially leaks heap contents back to the attacker. …
Remediation Upgrade ESP-IDF to the vendor-released patched versions: 5.2.8, 5.3.6, 5.4.5, 5.5.5, or 6.0.2, as confirmed by the Espressif Security Advisory at https://github.com/espressif/esp-idf/security/advisories/GHSA-g764-gwc3-75m5 and corroborated by six upstream commits including https://github.com/espressif/esp-idf/commit/2bf4dd12002dbae60a4b21abff010ecb2b8ee82b. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-45328 HIGH
8.8 Jun 10

Privilege escalation from REE to TEE in Espressif ESP-IDF 5.5.4 and 6.0 lets a low-privileged user-application caller ab
CVE-2026-45541 HIGH
7.5 Jun 10

Remote denial-of-service in Espressif ESP-IDF's esp_http_server WebSocket handshake allows unauthenticated attackers to

CVE-2026-45542 HIGH
7.1 Jun 10

Heap buffer overflow in Espressif ESP-IDF's protocomm component allows adjacent-network attackers to corrupt heap memory
CVE-2026-46532 MEDIUM
4.6 Jun 10

Out-of-bounds read in ESP-IDF's BlueDroid AVRCP vendor-command parser allows adjacent Bluetooth attackers with low privi

Share

EUVD-2026-35915 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy