CVE-2026-25507
Unknown Unknown - Not Provided
Use-After-Free in Espressif BLE Provisioning Enables Remote Memory Access

Publication date: 2026-02-04

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocomm_ble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keep_ble_on = true. In this configuration, internal protocomm_ble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-20
Generated
2026-05-07
AI Q&A
2026-02-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25507
EUVD
EUVD-2026-5377
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
espressif esp-idf 5.1.6
espressif esp-idf 5.2.6
espressif esp-idf 5.3.4
espressif esp-idf 5.4.3
espressif esp-idf 5.5.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free issue in the BLE provisioning transport layer (protocomm_ble) of the Espressif Internet of Things Development Framework (ESF-IDF). It occurs when the device is in provisioning mode and provisioning is stopped with the setting keep_ble_on = true. In this state, internal protocomm_ble data and GATT metadata are freed, but the BLE stack and GATT services remain active. As a result, subsequent BLE read or write operations can access freed memory, which can be triggered by a remote BLE client, leading to invalid memory access.


How can this vulnerability impact me? :

The vulnerability can allow a remote BLE client to cause invalid memory access on the affected device. This can lead to potential denial of service or other unpredictable behavior due to the use-after-free condition. Since the CVSS score indicates a high impact on availability (A:H) but no impact on confidentiality or integrity, the main risk is disruption of device operation.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the ESF-IDF to a patched version where the issue is fixed.

  • Upgrade to ESF-IDF version 5.5.3 or later.
  • Alternatively, upgrade to versions 5.4.4, 5.3.5, 5.2.7, or 5.1.7, which also contain the patch.

These updates address the use-after-free vulnerability in the BLE provisioning transport layer by correcting the handling of internal state when provisioning is stopped with keep_ble_on = true.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart