What is the CVSS score of EUVD-2026-35919?

EUVD-2026-35919 has a CVSS 3.1 base score of 4.6 (Medium). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L. EPSS exploitation probability: 0.0%.

ESP-IDF EUVD-2026-35919

| CVE-2026-46532 MEDIUM

Out-of-bounds Read (CWE-125)

2026-06-10 GitHub_M

Information Disclosure Buffer Overflow Esp Idf

4.6

CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

4.6 MEDIUM

AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Primary rating from Vendor (GitHub_M) · only source for this CVE.

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

Low

Lifecycle Timeline

Source Code Evidence Fetched

Jun 10, 2026 - 01:51 vuln.today

Analysis Generated

Jun 10, 2026 - 01:51 vuln.today

DescriptionCVE.org

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.3, and 6.0, an out-of-bounds read exists in the BlueDroid AVRCP vendor-command parser (avrc_pars_vendor_cmd() in components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c). This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.4, and 6.0.1.

AnalysisAI

Out-of-bounds read in ESP-IDF's BlueDroid AVRCP vendor-command parser allows adjacent Bluetooth attackers with low privileges to leak device memory and degrade availability across multiple ESP-IDF stable branches. Versions 5.2.6, 5.3.5, 5.4.4, 5.5.3, and 6.0 are confirmed affected via the Espressif GitHub security advisory. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Enter Bluetooth radio range of target device

Delivery

Authenticate or pair with device (low-privilege pairing)

Exploit

Send malformed AVRCP vendor command with zero-length payload

Execution

avrc_pars_vendor_cmd() dereferences buffer pointer without length check

Persist

Read one byte past buffer boundary

Impact

Leak adjacent memory byte or trigger parser fault degrading availability

Access

Enter Bluetooth radio range of target device

Delivery

Authenticate or pair with device (low-privilege pairing)

Exploit

Send malformed AVRCP vendor command with zero-length payload

Execution

avrc_pars_vendor_cmd() dereferences buffer pointer without length check

Persist

Read one byte past buffer boundary

Impact

Leak adjacent memory byte or trigger parser fault degrading availability

Vulnerability AssessmentAI

Exploitation	The attacker must be within Bluetooth radio range of the target device (AV:A - Adjacent vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.6 score appropriately reflects meaningful but constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker positions themselves within Bluetooth range of an ESP32 device running an affected ESP-IDF version, authenticates or pairs at a low privilege level, and transmits a crafted AVRCP GET_CAPABILITIES or LIST_APPLICATION_SETTING_VALUES vendor command with a zero-length parameter payload. The parser in avrc_pars_vendor_cmd() dereferences the buffer pointer without the length guard, reading one byte beyond the allocated buffer - potentially disclosing an adjacent memory byte or triggering a fault that degrades Bluetooth stack availability. …
Remediation	Upgrade to the corresponding patched release for your branch: 5.2.7, 5.3.6, 5.4.5, 5.5.4, or 6.0.1, as documented in the Espressif security advisory at https://github.com/espressif/esp-idf/security/advisories/GHSA-3pp8-42fh-3j3c. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-45328 HIGH This Week

8.8 Jun 10

Privilege escalation from REE to TEE in Espressif ESP-IDF 5.5.4 and 6.0 lets a low-privileged user-application caller ab

CVE-2026-45541 HIGH This Week

7.5 Jun 10

Remote denial-of-service in Espressif ESP-IDF's esp_http_server WebSocket handshake allows unauthenticated attackers to

CVE-2026-45542 HIGH This Week

7.1 Jun 10

Heap buffer overflow in Espressif ESP-IDF's protocomm component allows adjacent-network attackers to corrupt heap memory

CVE-2026-45160 MEDIUM This Month

6.5 Jun 10

Out-of-bounds read in ESP-IDF's embedded DHCP server crashes or exposes heap memory on ESP32 devices operating in SoftAP

EUVD-2026-35919 vulnerability details – vuln.today

Back