Skip to main content

ESP-IDF EUVD-2026-35918

| CVE-2026-45542 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-10 GitHub_M
Heap Overflow Buffer Overflow Esp Idf
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Primary rating from Vendor (GitHub_M) · only source for this CVE.

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 10, 2026 - 01:51 vuln.today
Analysis Generated
Jun 10, 2026 - 01:51 vuln.today

DescriptionCVE.org

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a heap buffer overflow exists in the Security Scheme 2 (SRP6a) session-setup path of the protocomm component. The first-phase handler (handle_session_command0() in components/protocomm/src/security/security2.c) trusts the length of a client-supplied protobuf field for the SRP6a username and copies it into a buffer whose size is derived from a narrower destination type. The resulting truncation-versus-copy asymmetry corrupts the heap when an oversized value is supplied. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.

AnalysisAI

Heap buffer overflow in Espressif ESP-IDF's protocomm component allows adjacent-network attackers to corrupt heap memory during the SRP6a (Security Scheme 2) session-setup handshake on affected IoT devices running ESP-IDF 5.2.6, 5.3.5, 5.4.4, 5.5.4, or 6.0. The flaw stems from a type-width mismatch in handle_session_command0() that trusts the client-supplied protobuf username length, enabling denial of service and potential integrity impact on provisioning interfaces. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate ESP32 in provisioning mode
Delivery
Connect to BLE/SoftAP protocomm endpoint
Exploit
Send crafted SessionCommand0 with oversized SRP6a username
Execution
Trigger heap overflow in handle_session_command0
Persist
Corrupt adjacent heap allocations
Impact
Crash device or wedge onboarding
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target device must be running ESP-IDF 5.2.6, 5.3.5, 5.4.4, 5.5.4, or 6.0 firmware AND must be in its provisioning state with the protocomm component active and Security Scheme 2 (SRP6a) configured as the security version - this is the default for ESP-IDF unified provisioning but is typically only exposed during initial device onboarding, factory reset, or explicit re-provisioning. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H gives a base score of 7.1 driven primarily by High availability impact and unauthenticated low-complexity access, but constrained to Adjacent network - meaning the attacker must be on the same BLE/Wi-Fi provisioning link, not the open internet. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker within Bluetooth Low Energy or Wi-Fi range of an ESP32 device in provisioning mode connects to its protocomm endpoint and sends a crafted SessionCommand0 protobuf message whose client_username field carries an oversized length value, triggering the unchecked memcpy in handle_session_command0() and corrupting the heap. The most reliable outcome is a device crash and watchdog reset (denial of service of the onboarding flow), with heap-grooming on this embedded target potentially enabling further integrity impact against adjacent allocations. …
Remediation Vendor-released patches are available: upgrade ESP-IDF to 5.2.7, 5.3.6, 5.4.5, 5.5.5, or 6.0.1 (matching your release branch) and rebuild/reflash device firmware, per the GitHub Security Advisory at https://github.com/espressif/esp-idf/security/advisories/GHSA-9r76-858f-v6jh. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all ESP-IDF deployments using versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, or 6.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-45328 HIGH
8.8 Jun 10

Privilege escalation from REE to TEE in Espressif ESP-IDF 5.5.4 and 6.0 lets a low-privileged user-application caller ab
CVE-2026-45541 HIGH
7.5 Jun 10

Remote denial-of-service in Espressif ESP-IDF's esp_http_server WebSocket handshake allows unauthenticated attackers to

CVE-2026-45160 MEDIUM
6.5 Jun 10

Out-of-bounds read in ESP-IDF's embedded DHCP server crashes or exposes heap memory on ESP32 devices operating in SoftAP
CVE-2026-46532 MEDIUM
4.6 Jun 10

Out-of-bounds read in ESP-IDF's BlueDroid AVRCP vendor-command parser allows adjacent Bluetooth attackers with low privi

Share

EUVD-2026-35918 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy