FKIE_CVE-2026-25508

Vulnerability from fkie_nvd - Published: 2026-02-04 18:16 - Updated: 2026-02-20 17:13
Severity ?
6.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
6.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.
References
security-advisories@github.comhttps://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9Patch
security-advisories@github.comhttps://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7Patch
security-advisories@github.comhttps://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70Patch
security-advisories@github.comhttps://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6Patch
security-advisories@github.comhttps://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cfPatch
security-advisories@github.comhttps://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663Patch
security-advisories@github.comhttps://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63Patch
security-advisories@github.comhttps://github.com/espressif/esp-idf/security/advisories/GHSA-9j5x-rf36-54x9Third Party Advisory
Impacted products
Vendor Product Version
espressif esp-idf 5.1.6
espressif esp-idf 5.2.6
espressif esp-idf 5.3.4
espressif esp-idf 5.4.3
espressif esp-idf 5.5.2
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:espressif:esp-idf:5.1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "90D991F0-A03E-44CF-9187-75897399797A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:espressif:esp-idf:5.2.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "37A040C2-E9D4-4678-9A10-74B5AEE4901D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:espressif:esp-idf:5.3.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "AA4D9168-C8C1-4B1A-81C3-D4888DB36CAE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:espressif:esp-idf:5.4.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "7CA4F443-03D3-4B10-909E-A813F72BC08C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:espressif:esp-idf:5.5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "43489143-3F90-42E6-B75F-78CBEAD09C4D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7."
    },
    {
      "lang": "es",
      "value": "ESF-IDF es el Framework de Desarrollo de Internet de las Cosas (IoT) de Espressif. En las versiones 5.5.2, 5.4.3, 5.3.4, 5.2.6 y 5.1.6, se inform\u00f3 una vulnerabilidad de lectura fuera de l\u00edmites en el manejo de BLE ATT Prepare Write del transporte de aprovisionamiento BLE (protocomm_ble). El problema puede ser activado por un cliente BLE remoto mientras el dispositivo est\u00e1 en modo de aprovisionamiento. El transporte acumul\u00f3 fragmentos de escritura preparada en un b\u00fafer de tama\u00f1o fijo pero rastre\u00f3 incorrectamente la longitud acumulativa. Al enviar solicitudes repetidas de escritura preparada con desplazamientos superpuestos, un cliente remoto podr\u00eda hacer que la longitud informada excediera el tama\u00f1o del b\u00fafer asignado. Esta longitud inflada fue luego pasada a los manejadores de aprovisionamiento durante el procesamiento de ejecuci\u00f3n de escritura, resultando en una lectura fuera de l\u00edmites y potencial corrupci\u00f3n de memoria. Este problema ha sido parcheado en las versiones 5.5.3, 5.4.4, 5.3.5, 5.2.7 y 5.1.7."
    }
  ],
  "id": "CVE-2026-25508",
  "lastModified": "2026-02-20T17:13:08.147",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 4.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-04T18:16:09.547",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9j5x-rf36-54x9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.