CVE-2026-25508
Unknown Unknown - Not Provided

Out-of-Bounds Read in ESF-IDF BLE Provisioning Transport

Vulnerability report for CVE-2026-25508, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-04

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-04
Last Modified
2026-02-20
Generated
2026-07-06
AI Q&A
2026-02-04
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
espressif esp-idf 5.1.6
espressif esp-idf 5.2.6
espressif esp-idf 5.3.4
espressif esp-idf 5.4.3
espressif esp-idf 5.5.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Espressif Internet of Things Development Framework (ESF-IDF) versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6. It is an out-of-bounds read issue in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble).

The problem occurs because the transport accumulates prepared-write fragments in a fixed-size buffer but incorrectly tracks the cumulative length. A remote BLE client can exploit this by sending repeated prepare write requests with overlapping offsets, causing the reported length to exceed the allocated buffer size.

When the inflated length is passed to provisioning handlers during execute-write processing, it results in an out-of-bounds read and potential memory corruption.

This vulnerability can be triggered remotely while the device is in provisioning mode and has been patched in later versions.

Impact Analysis

This vulnerability can lead to memory corruption due to an out-of-bounds read triggered by a remote BLE client during device provisioning.

Memory corruption can cause unexpected behavior such as crashes, denial of service, or potentially allow an attacker to execute arbitrary code or disrupt device operation.

Since the vulnerability can be exploited remotely without privileges, it poses a significant risk to devices using the affected ESF-IDF versions during provisioning.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update the ESF-IDF to a patched version. The issue has been fixed in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25508. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart