{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25507", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T18:21:42.486Z", "datePublished": "2026-02-04T17:58:18.605Z", "dateUpdated": "2026-02-04T19:24:17.464Z"}, "containers": {"cna": {"title": "ESF-IDF Has Use-after-free Vulnerability in BLE Provisioning", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-h7r3-gmg9-xjmg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-h7r3-gmg9-xjmg"}, {"name": "https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9"}, {"name": "https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7"}, {"name": "https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70"}, {"name": "https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6"}, {"name": "https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf"}, {"name": "https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663"}, {"name": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"}], "affected": [{"vendor": "espressif", "product": "esp-idf", "versions": [{"version": "= 5.5.2", "status": "affected"}, {"version": "= 5.4.3", "status": "affected"}, {"version": "= 5.3.4", "status": "affected"}, {"version": "= 5.2.6", "status": "affected"}, {"version": "= 5.1.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T17:58:18.605Z"}, "descriptions": [{"lang": "en", "value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocomm_ble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keep_ble_on = true. In this configuration, internal protocomm_ble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7."}], "source": {"advisory": "GHSA-h7r3-gmg9-xjmg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T19:22:43.554589Z", "id": "CVE-2026-25507", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:24:17.464Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25507", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T19:22:43.554589Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:24:11.532Z"}}], "cna": {"title": "ESF-IDF Has Use-after-free Vulnerability in BLE Provisioning", "source": {"advisory": "GHSA-h7r3-gmg9-xjmg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "espressif", "product": "esp-idf", "versions": [{"status": "affected", "version": "= 5.5.2"}, {"status": "affected", "version": "= 5.4.3"}, {"status": "affected", "version": "= 5.3.4"}, {"status": "affected", "version": "= 5.2.6"}, {"status": "affected", "version": "= 5.1.6"}]}], "references": [{"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-h7r3-gmg9-xjmg", "name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-h7r3-gmg9-xjmg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9", "name": "https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7", "name": "https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70", "name": "https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6", "name": "https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf", "name": "https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663", "name": "https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63", "name": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocomm_ble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keep_ble_on = true. In this configuration, internal protocomm_ble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T17:58:18.605Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25507", "state": "PUBLISHED", "dateUpdated": "2026-02-04T19:24:17.464Z", "dateReserved": "2026-02-02T18:21:42.486Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T17:58:18.605Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:espressif:esp-idf:5.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "90D991F0-A03E-44CF-9187-75897399797A", "vulnerable": true}, {"criteria": "cpe:2.3:a:espressif:esp-idf:5.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "37A040C2-E9D4-4678-9A10-74B5AEE4901D", "vulnerable": true}, {"criteria": "cpe:2.3:a:espressif:esp-idf:5.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "AA4D9168-C8C1-4B1A-81C3-D4888DB36CAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:espressif:esp-idf:5.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "7CA4F443-03D3-4B10-909E-A813F72BC08C", "vulnerable": true}, {"criteria": "cpe:2.3:a:espressif:esp-idf:5.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "43489143-3F90-42E6-B75F-78CBEAD09C4D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocomm_ble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keep_ble_on = true. In this configuration, internal protocomm_ble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7."}, {"lang": "es", "value": "ESF-IDF es el Framework de Desarrollo de Internet de las Cosas (IoT) de Espressif. En las versiones 5.5.2, 5.4.3, 5.3.4, 5.2.6 y 5.1.6, se inform\u00f3 una vulnerabilidad de uso despu\u00e9s de liberaci\u00f3n en la capa de transporte de aprovisionamiento BLE (protocomm_ble). El problema puede ser activado por un cliente BLE remoto mientras el dispositivo est\u00e1 en modo de aprovisionamiento. La vulnerabilidad ocurri\u00f3 cuando el aprovisionamiento se detuvo con keep_ble_on = true. En esta configuraci\u00f3n, el estado interno de protocomm_ble y los metadatos GATT fueron liberados mientras la pila BLE y los servicios GATT permanecieron activos. Las devoluciones de llamada de lectura o escritura BLE posteriores desreferenciaron memoria liberada, permitiendo a un cliente conectado o reci\u00e9n conectado activar un acceso a memoria inv\u00e1lido. Este problema ha sido parcheado en las versiones 5.5.3, 5.4.4, 5.3.5, 5.2.7 y 5.1.7."}], "id": "CVE-2026-25507", "lastModified": "2026-02-20T17:12:46.537", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T18:16:09.360", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-h7r3-gmg9-xjmg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:21:53.098235+00:00", "value": {"mitigation_remediation": ["Update the ESP-IDF library to any version 5.5.3 or later, 5.4.4 or later, 5.3.5 or later, 5.2.7 or later, or 5.1.7 or later.", "Modify the provisioning logic to avoid using keep_ble_on\u202f=\u202ftrue when stopping provisioning, ensuring that all BLE resources are released cleanly.", "If an immediate firmware update is not feasible, disable BLE provisioning or disconnect the BLE client to prevent the exploit from being triggered."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via BLE use\u2011after\u2011free"}, "threat_synthesis": {"affected_systems": "Devices running ESP\u2011IDF version 5.5.2, 5.4.3, 5.3.4, 5.2.6 or 5.1.6 are vulnerable. The fix is available in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7 and 5.1.7.", "description_and_impact": "Resources in the ESP\u2011IDF BLE provision transport have a use\u2011after\u2011free flaw that lets an active or reconnecting BLE client read or write to memory after the provisioning objects are freed. The defect occurs only when provisioning is stopped with keep_ble_on set to true, leaving the GATT services active while the underlying structures are deallocated. The attacker can trigger invalid memory access, which can compromise the integrity of the firmware and potentially allow arbitrary code execution.", "risk_and_exploitability": "The CVSS score is 6.3 and the EPSS is less than 1\u202f%, indicating a moderate severity but low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker needs to connect to the device while it is in provisioning mode and issue a read or write operation after provisioning has been halted with keep_ble_on true. No authentication or privileged permissions are enumerated, so the attack channel is remote BLE only."}}}}, "created": "2026-02-05T11:39:40.122437+00:00", "updated": "2026-04-17T23:30:15.912309+00:00", "vendors": ["espressif", "espressif$PRODUCT$esp-idf"]}