CVE-2025-68474
Unknown Unknown - Not Provided
Buffer Overflow in ESP-IDF BlueDroid AVRCP Stack Causes Memory Corruption

Publication date: 2025-12-27

Last updated on: 2025-12-27

Assigner: GitHub, Inc.

Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the avrc_vendor_msg() function of the ESP-IDF BlueDroid AVRCP stack, the allocated buffer size was validated using AVRC_MIN_CMD_LEN (20 bytes). However, the actual fixed header data written before the vendor payload exceeds this value. This totals 29 bytes written before p_msg->p_vendor_data is copied. Using the old AVRC_MIN_CMD_LEN could allow an out-of-bounds write if vendor_len approaches the buffer limit. For commands where vendor_len is large, the original buffer allocation may be insufficient, causing writes beyond the allocated memory. This can lead to memory corruption, crashes, or other undefined behavior. The overflow could be larger when assertions are disabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-27
Last Modified
2025-12-27
Generated
2026-05-07
AI Q&A
2025-12-27
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68474
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
espressif esp-idf 5.1.6
espressif esp-idf 5.4.3
espressif esp-idf 5.3.4
espressif esp-idf 5.2.6
espressif esp-idf 5.5.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the ESP-IDF BlueDroid AVRCP stack's avrc_vendor_msg() function. The allocated buffer size is validated using a minimum command length of 20 bytes, but the actual fixed header data written before the vendor payload is 29 bytes. This mismatch can cause an out-of-bounds write when the vendor payload length approaches the buffer limit, potentially leading to memory corruption, crashes, or other undefined behavior.


How can this vulnerability impact me? :

The vulnerability can lead to memory corruption, application crashes, or other undefined behaviors due to out-of-bounds writes. This can affect the stability and security of devices using the affected ESP-IDF versions, potentially allowing attackers to disrupt normal operation or exploit the system further.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately update the ESP-IDF framework to a version that includes the fix for CVE-2025-68474. The fix involves patches to the avrc_vendor_msg() function in the Bluetooth AVRCP stack that add proper input validation, buffer size checks, and safe memory allocation to prevent out-of-bounds writes. Ensure that your ESP32 devices or products using the ESP-IDF BlueDroid AVRCP stack are running these patched versions (5.5.1 or later with the fix applied). Additionally, avoid running untrusted Bluetooth AVRCP vendor commands from adjacent attackers, as the vulnerability can be exploited without privileges or user interaction. If updating immediately is not possible, consider disabling Bluetooth AVRCP vendor command handling or restricting Bluetooth access to trusted devices until the patch can be applied. [1, 2, 3, 4, 5, 6, 7]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart