CVE-2025-68473
Unknown Unknown - Not Provided
Out-of-Bounds Write in ESP-IDF Bluetooth SDP Service Discovery

Publication date: 2025-12-27

Last updated on: 2025-12-27

Assigner: GitHub, Inc.

Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the ESP-IDF Bluetooth host stack (BlueDroid), the function bta_dm_sdp_result() used a fixed-size array uuid_list[32][MAX_UUID_SIZE] to store discovered service UUIDs during the SDP (Service Discovery Protocol) process. On modern Bluetooth devices, it is possible for the number of available services to exceed this fixed limit (32). In such cases, if more than 32 services are discovered, subsequent writes to uuid_list could exceed the bounds of the array, resulting in a potential out-of-bounds write condition.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-27
Last Modified
2025-12-27
Generated
2026-06-16
AI Q&A
2025-12-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68473
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
espressif esp-idf 5.1.6
espressif esp-idf 5.4.3
espressif esp-idf 5.3.4
espressif esp-idf 5.2.6
espressif esp-idf 5.5.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the ESP-IDF Bluetooth host stack (BlueDroid) where the function bta_dm_sdp_result() uses a fixed-size array to store discovered Bluetooth service UUIDs during the Service Discovery Protocol process. If more than 32 services are discovered, which can happen on modern Bluetooth devices, the function may write beyond the bounds of this fixed-size array, causing an out-of-bounds write condition.

Impact Analysis

The out-of-bounds write condition caused by this vulnerability could potentially lead to memory corruption, which might be exploited to cause unexpected behavior, crashes, or possibly allow an attacker to execute arbitrary code on the affected device.

Mitigation Strategies

To mitigate this vulnerability, you should update your Espressif ESP-IDF Bluetooth stack to a patched version where the fix for CVE-2025-68473 has been applied. The fix includes adding bounds checking in the function bta_dm_sdp_result() to ensure no more than 32 UUIDs are processed and stored, preventing out-of-bounds writes. Specifically, upgrade to ESP-IDF versions 5.1.7, 5.2.7, 5.3.5, 5.4.4, 5.5.2 or later, which include the patch that defines a maximum UUID count (MAX_UUID_NUM=32) and enforces this limit with proper checks and warnings. This prevents memory corruption or crashes caused by the vulnerability. [7]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68473. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart