What is the CVSS score of EUVD-2026-35916?

EUVD-2026-35916 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of ESP-IDF are affected by EUVD-2026-35916?

Espressif ESP-IDF versions 5.5.4 and 6.0 contain a local privilege escalation vulnerability allowing unprivileged applications to bypass Trusted Execution Environment isolation and access…

How to fix or mitigate EUVD-2026-35916?

24 hours: Inventory all systems running ESP-IDF versions 5.5.4 or 6.0 and immediately halt new deployments of these versions; verify which products are currently active in production environments. 7 days: Contact Espressif Support for confirmed patched versions; evaluate migration to ESP-IDF 5.5.3 or earlier if feasible, or confirm availability and timeline for version 6.1+. 30 days: Complete upgrade of all vulnerable systems to patched versions, or implement and validate compensating access controls on TEE service APIs.

ESP-IDF EUVD-2026-35916

| CVE-2026-45328 HIGH

Improper Input Validation (CWE-20)

2026-06-10 GitHub_M

Information Disclosure Esp Idf

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

vuln.today AI

8.8 HIGH

Attacker needs low-privileged code execution in the REE on the device (AV:L, PR:L); crossing into TEE changes the security authority (S:C) with full impact on TEE peripherals and secrets (C/I/A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Jun 11, 2026 - 18:28 vuln.today

v3 (cvss_changed)

Analysis Updated

Jun 11, 2026 - 18:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Jun 11, 2026 - 18:22 vuln.today

cvss_changed

Severity Changed

Jun 11, 2026 - 18:22 NVD

CRITICAL HIGH

CVSS changed

Jun 11, 2026 - 18:22 NVD

9.3 (CRITICAL) 8.8 (HIGH)

Re-analysis Queued

Jun 11, 2026 - 18:22 vuln.today

cvss_changed

Severity Changed

Jun 11, 2026 - 18:22 NVD

CRITICAL HIGH

CVSS changed

Jun 11, 2026 - 18:22 NVD

9.3 (CRITICAL) 8.8 (HIGH)

Source Code Evidence Fetched

Jun 10, 2026 - 01:53 vuln.today

Analysis Generated

Jun 10, 2026 - 01:53 vuln.today

DescriptionNVD

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, the esp_tee component exposes secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c that bridge calls from the user application (i.e. the REE) to TEE-protected hardware peripherals (AES, SHA, ECC, HMAC, SPI, MMU, WDT) and to the security feature like attestation, OTA updates, secure storage. This issue has been patched in versions 5.5.5 and 6.0.1.

AnalysisAI

Privilege escalation from REE to TEE in Espressif ESP-IDF 5.5.4 and 6.0 lets a low-privileged user-application caller abuse esp_tee secure-service wrappers (AES, SHA, ECC, HMAC, SPI, MMU, WDT, attestation, OTA, secure storage) due to insufficient buffer-range validation in esp_secure_services.c and esp_secure_services_iram.c. EPSS is 0.02% and there is no public exploit identified at time of analysis, but technical impact is total because the flaw lets REE code reach TEE-protected hardware peripherals and security services.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Gain REE code execution on ESP32 device

Delivery

Identify esp_tee secure-service wrapper

Exploit

Craft buffer pointers spanning REE/TEE

Install

Invoke wrapper with malicious args

Bypass pointer-only validation

Execute

Drive TEE peripherals or read/write TEE memory

Impact

Compromise attestation, secure storage and OTA

Recon

Gain REE code execution on ESP32 device

Delivery

Identify esp_tee secure-service wrapper

Exploit

Craft buffer pointers spanning REE/TEE

Install

Invoke wrapper with malicious args

Bypass pointer-only validation

Execute

Drive TEE peripherals or read/write TEE memory

Impact

Compromise attestation, secure storage and OTA

Vulnerability AssessmentAI

Exploitation	Exploitation requires the target firmware to be built with the esp_tee component enabled on ESP-IDF 5.5.4 or 6.0 and the attacker to already be executing code in the Rich Execution Environment with the ability to invoke the esp_secure_services.c/esp_secure_services_iram.c wrappers (matching CVSS PR:L, AV:L, UI:N) - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H gives 8.8 and correctly reflects a local, low-privileged caller breaking the REE/TEE scope boundary with total confidentiality, integrity and availability impact on the secure side. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who can execute code in the REE - for example by exploiting a separate bug in the application firmware, by shipping a malicious component into the device's build, or by abusing a debug/OTA path on a device they physically possess - calls one of the esp_tee secure-service wrappers (e.g. _ss_esp_aes_crypt_cbc or the SHA wrappers) with crafted buffer pointers and lengths that pass the pre-patch start/end-pointer check but actually overlap TEE-protected memory or unchecked context/IV/state buffers. …
Remediation	Vendor-released patch: upgrade ESP-IDF to 5.5.5 (from 5.5.4) or 6.0.1 (from 6.0) and rebuild and re-flash any firmware that links the esp_tee component, per advisory https://github.com/espressif/esp-idf/security/advisories/GHSA-mmgp-73p4-92xp and the fix commits 145ba4c4, 440a5d19, 764626a1, 7867f4a5, afd14ab1 and eebabaff in espressif/esp-idf. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all systems running ESP-IDF versions 5.5.4 or 6.0 and immediately halt new deployments of these versions; verify which products are currently active in production environments. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-45541 HIGH This Week

7.5 Jun 10

Remote denial-of-service in Espressif ESP-IDF's esp_http_server WebSocket handshake allows unauthenticated attackers to

CVE-2026-45542 HIGH This Week

7.1 Jun 10

Heap buffer overflow in Espressif ESP-IDF's protocomm component allows adjacent-network attackers to corrupt heap memory

CVE-2026-45160 MEDIUM This Month

6.5 Jun 10

Out-of-bounds read in ESP-IDF's embedded DHCP server crashes or exposes heap memory on ESP32 devices operating in SoftAP

CVE-2026-46532 MEDIUM This Month

4.6 Jun 10

Out-of-bounds read in ESP-IDF's BlueDroid AVRCP vendor-command parser allows adjacent Bluetooth attackers with low privi

EUVD-2026-35916 vulnerability details – vuln.today

Back

ESP-IDF EUVD-2026-35916

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code