{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-52471", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-06-17T02:28:39.716Z", "datePublished": "2025-06-24T19:53:06.066Z", "dateUpdated": "2025-06-24T20:02:18.529Z"}, "containers": {"cna": {"title": "ESP-NOW Integer Underflow Vulnerability Advisory", "problemTypes": [{"descriptions": [{"cweId": "CWE-191", "lang": "en", "description": "CWE-191: Integer Underflow (Wrap or Wraparound)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hqhh-cp47-fv5g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hqhh-cp47-fv5g"}, {"name": "https://github.com/espressif/esp-idf/commit/b1a379d57430d265a53aca13d59ddfbf2e7ac409", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/b1a379d57430d265a53aca13d59ddfbf2e7ac409"}, {"name": "https://github.com/espressif/esp-idf/commit/c5fc81917805f99e687c81cc56b68dc5df7ef8b5", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/c5fc81917805f99e687c81cc56b68dc5df7ef8b5"}, {"name": "https://github.com/espressif/esp-idf/commit/d4dafbdc3572387cd4f9a62b776580bc4ac3bde7", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/d4dafbdc3572387cd4f9a62b776580bc4ac3bde7"}, {"name": "https://github.com/espressif/esp-idf/commit/d6ec5a52255b17c1d6ef379e89f9de2c379042f8", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/d6ec5a52255b17c1d6ef379e89f9de2c379042f8"}, {"name": "https://github.com/espressif/esp-idf/commit/df7757d8279871fa7a2f42ef3962c6c1ec88b8a2", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/df7757d8279871fa7a2f42ef3962c6c1ec88b8a2"}, {"name": "https://github.com/espressif/esp-idf/commit/edc227c5eaeced999b5212943a9434379f8aad80", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/edc227c5eaeced999b5212943a9434379f8aad80"}], "affected": [{"vendor": "espressif", "product": "esp-idf", "versions": [{"version": "= 5.4.1", "status": "affected"}, {"version": "= 5.3.3", "status": "affected"}, {"version": "= 5.2.5", "status": "affected"}, {"version": "= 5.1.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-24T19:53:06.066Z"}, "descriptions": [{"lang": "en", "value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation."}], "source": {"advisory": "GHSA-hqhh-cp47-fv5g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-24T20:02:03.737707Z", "id": "CVE-2025-52471", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-24T20:02:18.529Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-52471", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-24T20:02:03.737707Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-24T20:02:06.375Z"}}], "cna": {"title": "ESP-NOW Integer Underflow Vulnerability Advisory", "source": {"advisory": "GHSA-hqhh-cp47-fv5g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "espressif", "product": "esp-idf", "versions": [{"status": "affected", "version": "= 5.4.1"}, {"status": "affected", "version": "= 5.3.3"}, {"status": "affected", "version": "= 5.2.5"}, {"status": "affected", "version": "= 5.1.6"}]}], "references": [{"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hqhh-cp47-fv5g", "name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hqhh-cp47-fv5g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/espressif/esp-idf/commit/b1a379d57430d265a53aca13d59ddfbf2e7ac409", "name": "https://github.com/espressif/esp-idf/commit/b1a379d57430d265a53aca13d59ddfbf2e7ac409", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/c5fc81917805f99e687c81cc56b68dc5df7ef8b5", "name": "https://github.com/espressif/esp-idf/commit/c5fc81917805f99e687c81cc56b68dc5df7ef8b5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/d4dafbdc3572387cd4f9a62b776580bc4ac3bde7", "name": "https://github.com/espressif/esp-idf/commit/d4dafbdc3572387cd4f9a62b776580bc4ac3bde7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/d6ec5a52255b17c1d6ef379e89f9de2c379042f8", "name": "https://github.com/espressif/esp-idf/commit/d6ec5a52255b17c1d6ef379e89f9de2c379042f8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/df7757d8279871fa7a2f42ef3962c6c1ec88b8a2", "name": "https://github.com/espressif/esp-idf/commit/df7757d8279871fa7a2f42ef3962c6c1ec88b8a2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/edc227c5eaeced999b5212943a9434379f8aad80", "name": "https://github.com/espressif/esp-idf/commit/edc227c5eaeced999b5212943a9434379f8aad80", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-191", "description": "CWE-191: Integer Underflow (Wrap or Wraparound)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-24T19:53:06.066Z"}}}, "cveMetadata": {"cveId": "CVE-2025-52471", "state": "PUBLISHED", "dateUpdated": "2025-06-24T20:02:18.529Z", "dateReserved": "2025-06-17T02:28:39.716Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-24T19:53:06.066Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:espressif:esp-idf:5.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "90D991F0-A03E-44CF-9187-75897399797A", "vulnerable": true}, {"criteria": "cpe:2.3:a:espressif:esp-idf:5.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "AFFE82AE-24D5-4EF1-8A31-0965A8355F8E", "vulnerable": true}, {"criteria": "cpe:2.3:a:espressif:esp-idf:5.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "96ED2D39-F568-4F63-B475-6F8F5D8E90EB", "vulnerable": true}, {"criteria": "cpe:2.3:a:espressif:esp-idf:5.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "1AB79292-C9AD-4F49-8644-00736AE0FE78", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation."}, {"lang": "es", "value": "ESF-IDF es el framework de desarrollo de Espressif para el Internet de las Cosas (IoT). Se ha identificado una vulnerabilidad de subdesbordamiento de enteros en la implementaci\u00f3n del protocolo ESP-NOW dentro del componente Wi-Fi ESP de las versiones 5.4.1, 5.3.3, 5.2.5 y 5.1.6 del marco ESP-IDF. Este problema se debe a una validaci\u00f3n insuficiente de la longitud de los datos proporcionados por el usuario en la funci\u00f3n de recepci\u00f3n de paquetes. En determinadas circunstancias, esto puede provocar accesos a memoria fuera de los l\u00edmites y permitir operaciones de escritura arbitrarias. En sistemas sin un esquema de protecci\u00f3n de memoria, este comportamiento podr\u00eda utilizarse para lograr la ejecuci\u00f3n remota de c\u00f3digo (RCE) en el dispositivo de destino. En las versiones 5.4.2, 5.3.4, 5.2.6 y 5.1.6, ESP-NOW ha a\u00f1adido una l\u00f3gica de validaci\u00f3n m\u00e1s completa sobre la longitud de los datos proporcionados por el usuario durante la recepci\u00f3n de paquetes para evitar el subdesbordamiento de enteros causado por c\u00e1lculos de valores negativos. Para ESP-IDF v5.3 y versiones anteriores, se puede aplicar una soluci\u00f3n alternativa validando que el par\u00e1metro `data_len` recibido en la devoluci\u00f3n de llamada RX (registrado mediante `esp_now_register_recv_cb()`) sea un valor positivo antes de continuar con el procesamiento. Para ESP-IDF v5.4 y versiones posteriores, no hay ninguna soluci\u00f3n alternativa a nivel de aplicaci\u00f3n. Se recomienda a los usuarios actualizar a una versi\u00f3n parcheada de ESP-IDF para aprovechar la mitigaci\u00f3n integrada."}], "id": "CVE-2025-52471", "lastModified": "2026-01-22T16:05:44.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-06-24T20:15:26.033", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/b1a379d57430d265a53aca13d59ddfbf2e7ac409"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/c5fc81917805f99e687c81cc56b68dc5df7ef8b5"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/d4dafbdc3572387cd4f9a62b776580bc4ac3bde7"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/d6ec5a52255b17c1d6ef379e89f9de2c379042f8"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/df7757d8279871fa7a2f42ef3962c6c1ec88b8a2"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/edc227c5eaeced999b5212943a9434379f8aad80"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Patch"], "url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hqhh-cp47-fv5g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-191"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-07-06T22:16:27.436092+00:00", "updated": "2025-07-06T22:16:27.436163+00:00", "vendors": ["espressif", "espressif$PRODUCT$esp-idf"]}