Summaryinfo

A vulnerability, which was classified as problematic, has been found in Espressif ESP-IDF 5.1.6/5.2.6/5.3.4/5.4.3/5.5.2. Affected is the function wpabuf_put_data. The manipulation of the argument frag_len leads to integer underflow. This vulnerability is uniquely identified as CVE-2026-25532. The attack can only be initiated within the local network. No exploit exists. It is advisable to upgrade the affected component. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in Espressif ESP-IDF 5.1.6/5.2.6/5.3.4/5.4.3/5.5.2. This issue affects the function wpabuf_put_data. The manipulation of the argument frag_len with an unknown input leads to a integer underflow vulnerability. Using CWE to declare the problem leads to CWE-191. The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. Impacted is integrity, and availability. The summary by CVE is:

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a vulnerability exists in the WPS (Wi-Fi Protected Setup) Enrollee implementation where malformed EAP-WSC packets with truncated payloads can cause integer underflow during fragment length calculation. When processing EAP-Expanded (WSC) messages, the code computes frag_len by subtracting header sizes from the total packet length. If an attacker sends a packet where the EAP Length field covers only the header and flags but omits the expected payload (such as the 2-byte Message Length field when WPS_MSG_FLAG_LEN is set), frag_len becomes negative. This negative value is then implicitly cast to size_t when passed to wpabuf_put_data(), resulting in a very large unsigned value. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.

It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2026-25532 since 02/02/2026. The exploitation is known to be easy. The attack can only be done within the local network. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit.

Upgrading to version 5.1.6, 5.1.7, 5.2.6, 5.2.7, 5.3.4, 5.3.5, 5.4.3, 5.4.4, 5.5.2 or 5.5.3 eliminates this vulnerability. Applying the patch 60f992a26de17bb5406f2149a2f8282dd7ad1c59 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• Espressif

Name

• ESP-IDF

Version

• 5.1.6
• 5.2.6
• 5.3.4
• 5.4.3
• 5.5.2

License

• open-source

Website

• Product: https://github.com/espressif/esp-idf/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion