CVE-2026-25508
Unknown Unknown - Not Provided
Out-of-Bounds Read in ESF-IDF BLE Provisioning Transport

Publication date: 2026-02-04

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-20
Generated
2026-05-27
AI Q&A
2026-02-04
EPSS Evaluated
2026-05-25
NVD
CVE-2026-25508
EUVD
EUVD-2026-5378
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
espressif esp-idf 5.1.6
espressif esp-idf 5.2.6
espressif esp-idf 5.3.4
espressif esp-idf 5.4.3
espressif esp-idf 5.5.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Espressif Internet of Things Development Framework (ESF-IDF) versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6. It is an out-of-bounds read issue in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble).

The problem occurs because the transport accumulates prepared-write fragments in a fixed-size buffer but incorrectly tracks the cumulative length. A remote BLE client can exploit this by sending repeated prepare write requests with overlapping offsets, causing the reported length to exceed the allocated buffer size.

When the inflated length is passed to provisioning handlers during execute-write processing, it results in an out-of-bounds read and potential memory corruption.

This vulnerability can be triggered remotely while the device is in provisioning mode and has been patched in later versions.


How can this vulnerability impact me? :

This vulnerability can lead to memory corruption due to an out-of-bounds read triggered by a remote BLE client during device provisioning.

Memory corruption can cause unexpected behavior such as crashes, denial of service, or potentially allow an attacker to execute arbitrary code or disrupt device operation.

Since the vulnerability can be exploited remotely without privileges, it poses a significant risk to devices using the affected ESF-IDF versions during provisioning.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the ESF-IDF to a patched version. The issue has been fixed in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart