{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25508", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T18:21:42.486Z", "datePublished": "2026-02-04T17:58:28.502Z", "dateUpdated": "2026-02-04T19:21:38.860Z"}, "containers": {"cna": {"title": "ESF-IDF Has Memory Safety Vulnerabilities in BLE Provisioning", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9j5x-rf36-54x9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9j5x-rf36-54x9"}, {"name": "https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9"}, {"name": "https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7"}, {"name": "https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70"}, {"name": "https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6"}, {"name": "https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf"}, {"name": "https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663"}, {"name": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63", "tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"}], "affected": [{"vendor": "espressif", "product": "esp-idf", "versions": [{"version": "= 5.5.2", "status": "affected"}, {"version": "= 5.4.3", "status": "affected"}, {"version": "= 5.3.4", "status": "affected"}, {"version": "= 5.2.6", "status": "affected"}, {"version": "= 5.1.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T17:58:28.502Z"}, "descriptions": [{"lang": "en", "value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7."}], "source": {"advisory": "GHSA-9j5x-rf36-54x9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T19:21:25.847888Z", "id": "CVE-2026-25508", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:21:38.860Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25508", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T19:21:25.847888Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:21:32.343Z"}}], "cna": {"title": "ESF-IDF Has Memory Safety Vulnerabilities in BLE Provisioning", "source": {"advisory": "GHSA-9j5x-rf36-54x9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "espressif", "product": "esp-idf", "versions": [{"status": "affected", "version": "= 5.5.2"}, {"status": "affected", "version": "= 5.4.3"}, {"status": "affected", "version": "= 5.3.4"}, {"status": "affected", "version": "= 5.2.6"}, {"status": "affected", "version": "= 5.1.6"}]}], "references": [{"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9j5x-rf36-54x9", "name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9j5x-rf36-54x9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9", "name": "https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7", "name": "https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70", "name": "https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6", "name": "https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf", "name": "https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663", "name": "https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63", "name": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T17:58:28.502Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25508", "state": "PUBLISHED", "dateUpdated": "2026-02-04T19:21:38.860Z", "dateReserved": "2026-02-02T18:21:42.486Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T17:58:28.502Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:espressif:esp-idf:5.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "90D991F0-A03E-44CF-9187-75897399797A", "vulnerable": true}, {"criteria": "cpe:2.3:a:espressif:esp-idf:5.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "37A040C2-E9D4-4678-9A10-74B5AEE4901D", "vulnerable": true}, {"criteria": "cpe:2.3:a:espressif:esp-idf:5.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "AA4D9168-C8C1-4B1A-81C3-D4888DB36CAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:espressif:esp-idf:5.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "7CA4F443-03D3-4B10-909E-A813F72BC08C", "vulnerable": true}, {"criteria": "cpe:2.3:a:espressif:esp-idf:5.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "43489143-3F90-42E6-B75F-78CBEAD09C4D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7."}, {"lang": "es", "value": "ESF-IDF es el Framework de Desarrollo de Internet de las Cosas (IoT) de Espressif. En las versiones 5.5.2, 5.4.3, 5.3.4, 5.2.6 y 5.1.6, se inform\u00f3 una vulnerabilidad de lectura fuera de l\u00edmites en el manejo de BLE ATT Prepare Write del transporte de aprovisionamiento BLE (protocomm_ble). El problema puede ser activado por un cliente BLE remoto mientras el dispositivo est\u00e1 en modo de aprovisionamiento. El transporte acumul\u00f3 fragmentos de escritura preparada en un b\u00fafer de tama\u00f1o fijo pero rastre\u00f3 incorrectamente la longitud acumulativa. Al enviar solicitudes repetidas de escritura preparada con desplazamientos superpuestos, un cliente remoto podr\u00eda hacer que la longitud informada excediera el tama\u00f1o del b\u00fafer asignado. Esta longitud inflada fue luego pasada a los manejadores de aprovisionamiento durante el procesamiento de ejecuci\u00f3n de escritura, resultando en una lectura fuera de l\u00edmites y potencial corrupci\u00f3n de memoria. Este problema ha sido parcheado en las versiones 5.5.3, 5.4.4, 5.3.5, 5.2.7 y 5.1.7."}], "id": "CVE-2026-25508", "lastModified": "2026-02-20T17:13:08.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T18:16:09.547", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9j5x-rf36-54x9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:21:40.684679+00:00", "value": {"mitigation_remediation": ["Upgrade ESP\u2011IDF to at least version 5.1.7, 5.2.7, 5.3.5, 5.4.4, or 5.5.3, ensuring all related patches are applied", "If an upgrade is not possible, disable BLE provisioning on the device or keep the device out of provisioning mode while not in use", "Consider limiting BLE access to trusted devices or using network segmentation to reduce the likelihood of a remote BLE client finding the provisioning interface"], "summary": {"action": "Apply Patch", "impact": "Remote Out-of-Bounds Read"}, "threat_synthesis": {"affected_systems": "The affected products are Espressif\u2019s ESP\u2011IDF firmware versions 5.1.6, 5.2.6, 5.3.4, 5.4.3, and 5.5.2. The vulnerability is present only while the device is in provisioning mode. The firmware upgrade path to mitigate the issue is to update to the patched releases: 5.1.7, 5.2.7, 5.3.5, 5.4.4, and 5.5.3, or any newer release that incorporates the fix.", "description_and_impact": "The vulnerability involves an out-of-bounds read in the BLE ATT Prepare Write handling of the BLE provisioning transport. A remote BLE client that can send overlapping prepare write requests to a device in provisioning mode can cause the accumulated length of fragments to exceed the fixed buffer size. The inflated length is later used during execute-write processing, leading to an out-of-bounds read and possible memory corruption. This flaw is a classic buffer misuse (CWE-125) that can degrade confidentiality, integrity, or availability of the device if successful. The description states only an out-of-bounds read; no direct evidence of code execution is provided, but memory corruption can lead to fault conditions or crashes.", "risk_and_exploitability": "The CVSS score of 6.3 indicates a medium severity. The EPSS score is reported as less than 1%\u2014a very low but nonzero probability of exploitation. The vulnerability requires remote interaction over BLE while the device is in provisioning mode, so an attacker must be able to perform BLE communications with the target. No information is provided that the flaw is exploit dependent on additional privileges or other conditions. The fact that the flaw was identified as a memory corruption vulnerability suggests that exploitation could lead to device instability or crash, but the potential for more serious impact (e.g., code execution) is not documented. The CVE is not listed in the CISA KEV catalog, further suggesting that no active, publicly known exploits are known at this time."}}}}, "created": "2026-02-05T11:40:08.370508+00:00", "updated": "2026-04-17T23:30:15.911812+00:00", "vendors": ["espressif", "espressif$PRODUCT$esp-idf"]}