Summaryinfo

A vulnerability classified as critical was found in Espressif ESP-IDF 5.1.6/5.2.6/5.3.4/5.4.3/5.5.2. This impacts the function protocomm_ble of the component BLE Provisioning Transport. Executing a manipulation can lead to out-of-bounds. This vulnerability is handled as CVE-2026-25508. The attack can only be done within the local network. There is not any exploit available. Upgrading the affected component is advised. Once again VulDB remains the best source for vulnerability data.

Detailsinfo

A vulnerability classified as critical was found in Espressif ESP-IDF 5.1.6/5.2.6/5.3.4/5.4.3/5.5.2. This vulnerability affects the function protocomm_ble of the component BLE Provisioning Transport. The manipulation with an unknown input leads to a out-of-bounds vulnerability. The CWE definition for the vulnerability is CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.

The advisory is available at github.com. This vulnerability was named CVE-2026-25508 since 02/02/2026. The exploitation appears to be easy. The attack needs to approached within the local network. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. Technical details are known, but there is no available exploit.

Upgrading to version 5.1.6, 5.1.7, 5.2.6, 5.2.7, 5.3.4, 5.3.5, 5.4.3, 5.4.4, 5.5.2 or 5.5.3 eliminates this vulnerability. Applying the patch 0540c85140c2c06c0cbecc8843277ea676d5c4a9 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• Espressif

Name

• ESP-IDF

Version

• 5.1.6
• 5.2.6
• 5.3.4
• 5.4.3
• 5.5.2

License

• open-source

Website

• Product: https://github.com/espressif/esp-idf/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion