espressif esp-idf 5.1.6/5.2.5/5.3.3/5.4.1 ESP-NOW Protocol esp_now_register_recv_cb data_len integer underflow

Summaryinfo

A vulnerability was found in espressif esp-idf 5.1.6/5.2.5/5.3.3/5.4.1. It has been rated as very critical. This vulnerability affects the function esp_now_register_recv_cb of the component ESP-NOW Protocol. This manipulation of the argument data_len causes integer underflow. The identification of this vulnerability is CVE-2025-52471. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability has been found in espressif esp-idf 5.1.6/5.2.5/5.3.3/5.4.1 and classified as very critical. Affected by this vulnerability is the function esp_now_register_recv_cb of the component ESP-NOW Protocol. The manipulation of the argument data_len with an unknown input leads to a integer underflow vulnerability. The CWE definition for the vulnerability is CWE-191. The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation.

The advisory is shared at github.com. This vulnerability is known as CVE-2025-52471 since 06/17/2025. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 01/22/2026).

Upgrading eliminates this vulnerability. Applying the patch b1a379d57430d265a53aca13d59ddfbf2e7ac409 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-19059). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• espressif

Name

• esp-idf

Version

• 5.1.6
• 5.2.5
• 5.3.3
• 5.4.1

License

• open-source

Website

• Product: https://github.com/espressif/esp-idf/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion