CVE-2026-25507
Unknown Unknown - Not Provided
Use-After-Free in Espressif BLE Provisioning Enables Remote Memory Access

Publication date: 2026-02-04

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocomm_ble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keep_ble_on = true. In this configuration, internal protocomm_ble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25507
EUVD
EUVD-2026-5377
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
espressif esp-idf 5.1.6
espressif esp-idf 5.2.6
espressif esp-idf 5.3.4
espressif esp-idf 5.4.3
espressif esp-idf 5.5.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the BLE provisioning transport layer (protocomm_ble) of the Espressif Internet of Things Development Framework (ESF-IDF). It occurs when the device is in provisioning mode and provisioning is stopped with the setting keep_ble_on = true. In this state, internal protocomm_ble data and GATT metadata are freed, but the BLE stack and GATT services remain active. As a result, subsequent BLE read or write operations can access freed memory, which can be triggered by a remote BLE client, leading to invalid memory access.

Impact Analysis

The vulnerability can allow a remote BLE client to cause invalid memory access on the affected device. This can lead to potential denial of service or other unpredictable behavior due to the use-after-free condition. Since the CVSS score indicates a high impact on availability (A:H) but no impact on confidentiality or integrity, the main risk is disruption of device operation.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update the ESF-IDF to a patched version where the issue is fixed.

  • Upgrade to ESF-IDF version 5.5.3 or later.
  • Alternatively, upgrade to versions 5.4.4, 5.3.5, 5.2.7, or 5.1.7, which also contain the patch.

These updates address the use-after-free vulnerability in the BLE provisioning transport layer by correcting the handling of internal state when provisioning is stopped with keep_ble_on = true.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25507. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart