CVE-2026-45160
Received Received - Intake
Out-of-Bounds Read in ESP-IDF DHCP Server

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.7, 5.3.5, 5.4.4, 5.5.4, and 6.0.1, an out-of-bounds read flaw exists in the DHCP server option parser (parse_options() in components/lwip/apps/dhcpserver/dhcpserver.c) shipped with ESP-IDF's lwIP component. The parser walks the BOOTP/DHCP options field without validating that each option's length byte and declared payload length stay within the received packet buffer. A crafted DHCP request can cause the parser to read past the end of the options buffer into adjacent heap memory. The issue affects the DHCP server used by ESP-IDF's SoftAP and any configuration where the device runs as a DHCP server on a local network. This issue has been patched in versions 5.2.8, 5.3.6, 5.4.5, 5.5.5, and 6.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45160
EUVD
EUVD-2026-35915
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
espressif esp_idf 5.2.7
espressif esp_idf 5.3.5
espressif esp_idf 5.4.4
espressif esp_idf 5.5.4
espressif esp_idf 6.0.1
espressif esp_idf From 5.2.7 (exc)
espressif esp_idf From 5.3.5 (exc)
espressif esp_idf From 5.4.4 (exc)
espressif esp_idf From 5.5.4 (exc)
espressif esp_idf From 6.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is an out-of-bounds (OOB) read flaw in the DHCP server option parser of the lwIP component within the ESP-IDF framework. Specifically, the function parse_options() in the DHCP server does not properly validate the length of DHCP options before reading them. As a result, a crafted DHCP request can cause the parser to read beyond the end of the options buffer into adjacent heap memory.

The flaw occurs because the parser walks through the BOOTP/DHCP options field without ensuring that each option's length byte and declared payload length stay within the received packet buffer. This can lead to reading invalid memory, potentially causing crashes or undefined behavior.

The issue affects ESP-IDF versions 5.2.7, 5.3.5, 5.4.4, 5.5.4, and 6.0.1 and has been patched in later versions by adding stricter validation checks for option lengths and buffer boundaries, including handling DHCP_OPTION_PAD and DHCP_OPTION_END markers.

Impact Analysis

This vulnerability can impact you by allowing an attacker on the same local network to send a specially crafted DHCP request that causes the DHCP server to read memory beyond its intended buffer.

The consequences include potential denial of service (DoS) by crashing the DHCP server task or corrupting its internal state. This can prevent the DHCP server from assigning IP addresses to clients, disrupting network connectivity.

Because the vulnerability is unauthenticated and exploitable by any client on the same Layer-2 network, it poses a risk in environments where the device runs as a DHCP server, such as SoftAP configurations.

Detection Guidance

This vulnerability involves an out-of-bounds read in the DHCP server option parser of ESP-IDF's lwIP component when processing DHCP requests. Detection would involve monitoring DHCP server behavior for crashes or abnormal operation caused by malformed DHCP packets.

Since the vulnerability is triggered by crafted DHCP requests, one way to detect it is to capture and analyze DHCP traffic on the network for suspicious or malformed DHCP option fields that could exploit the parser.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The primary mitigation is to upgrade ESP-IDF to a patched version where the vulnerability is fixed. The patched versions are 5.2.8, 5.3.6, 5.4.5, 5.5.5, and 6.0.2 or later.

If upgrading immediately is not possible, the only reliable workaround mentioned is to disable the DHCP server functionality on the affected device to prevent exploitation.

The patches introduce stricter validation of DHCP option lengths and buffer boundaries to prevent out-of-bounds reads, so applying these updates will mitigate the risk of crashes or denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45160. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart