CVE-2025-64342
BaseFortify
Publication date: 2025-11-17
Last updated on: 2025-11-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| espressif | iot_development_framework | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Espressif Internet of Things Development Framework (ESF-IDF) when the ESP32 device is in advertising mode. If the device receives a connection request with an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, the advertising process may stop unexpectedly. Additionally, the controller might incorrectly report a successful connection event to the host, causing the application layer to mistakenly believe a connection has been established.
How can this vulnerability impact me? :
The impact of this vulnerability is that the ESP32 device may stop advertising unexpectedly, which can disrupt normal device operation and connectivity. Moreover, the application layer may be misled into thinking a connection has been successfully made when it has not, potentially causing incorrect application behavior or logic errors.
What immediate steps should I take to mitigate this vulnerability?
Update the ESF-IDF to a fixed version: 5.5.2, 5.4.3, 5.3.5, 5.2.6, or 5.1.7, as these versions contain the fix for the vulnerability where advertising may stop unexpectedly due to invalid Access Address values.