CVE-2026-45329
Received Received - Intake
Memory Corruption in Espressif ESP-IDF Framework

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, several ESP-TEE secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c validated only some of the caller-supplied pointer arguments, leaving input pointer arguments unchecked. Because the underlying TEE-protected hardware peripherals (e.g., ECC, SHA, SPI) run in RISC-V machine mode (M-mode) with full address-space access, a caller could supply pointers into TEE-exclusive memory as inputs, causing the peripheral to read TEE memory and return results derived from it to the REE. Depending on the wrapper, the result contains raw bytes from TEE memory, a computed function of TEE memory recoverable through repeated calls, or a single bit per call that forms an oracle for incremental disclosure of TEE-resident sensitive data. This issue has been patched in versions 5.5.5 and 6.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45329
EUVD
EUVD-2026-35917
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
espressif esp_tee to 5.5.5 (exc)
espressif esp_tee to 6.0.1 (exc)
espressif esp_tee 5.5.5
espressif esp_tee 6.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45329 is an out-of-bounds read vulnerability in the ESP-TEE secure service wrappers of the Espressif Internet of Things Development Framework (ESP-IDF). In versions 5.5.4 and 6.0, some ESP-TEE secure-service wrappers did not properly validate all caller-supplied pointer arguments, allowing unprivileged applications running in the Rich Execution Environment (REE) to supply pointers to TEE-exclusive memory.

Because the underlying Trusted Execution Environment (TEE) hardware peripherals operate with full address-space access, this flaw allows the peripheral to read sensitive TEE memory and return data derived from it back to the REE. The returned data can be raw bytes, computed functions of TEE memory, or single bits that can be used as an oracle to incrementally disclose sensitive TEE-resident data.

This vulnerability arises from improper input validation of pointers, classified under CWE-20 (Improper Input Validation), CWE-125 (Out-of-bounds Read), and CWE-200 (Exposure of Sensitive Information). It affects Espressif SoCs with ESP-TEE support, including ESP32-C5, ESP32-C6, ESP32-C61, and ESP32-H2.

The issue has been patched in versions 5.5.5 and 6.0.1 by adding proper input validation using the esp_tee_buf_in_ree() helper with enforcement to reject pointers referencing TEE memory.

Impact Analysis

This vulnerability can lead to exposure of sensitive data stored in the Trusted Execution Environment (TEE), such as cryptographic keys, internal pointers, and code addresses.

An attacker with local code execution in the Rich Execution Environment (REE) but no TEE privileges can exploit this flaw to read TEE memory contents indirectly through hardware peripherals.

The exposure of TEE-resident sensitive data undermines the security guarantees of the TEE, potentially facilitating further attacks such as key extraction, code manipulation, or bypassing security controls.

The vulnerability has a high severity score (CVSS 7.1) with a local attack vector, low complexity, no required privileges or user interaction, and a significant confidentiality impact.

Detection Guidance

This vulnerability involves improper validation of input pointer arguments in ESP-TEE secure service wrappers, allowing out-of-bounds reads of TEE memory. Detection would focus on identifying abnormal or unauthorized access attempts to TEE memory from the Rich Execution Environment (REE).

Since the issue is related to local code execution in the REE supplying invalid pointers, detection can involve monitoring for suspicious calls to ESP-TEE services or unusual memory access patterns.

No specific detection commands are provided in the available resources. However, general approaches could include:

  • Monitoring logs for ESP-TEE service call anomalies or errors related to pointer validation failures.
  • Using debugging tools or firmware instrumentation to trace calls to esp_secure_services.c and esp_secure_services_iram.c functions.
  • Checking for abnormal memory reads or unexpected data returned from TEE peripherals like ECC, SHA, or SPI.

Since the vulnerability is local and requires code execution in the REE, scanning for unauthorized or suspicious local applications or processes attempting to access TEE services may help.

Unfortunately, no explicit detection commands or scripts are provided in the given resources.

Mitigation Strategies

The primary mitigation step is to update the ESP-IDF framework to a patched version where this vulnerability is fixed.

  • Upgrade ESP-TEE to version 5.5.5 or later if using 5.5.4.
  • Upgrade ESP-TEE to version 6.0.1 or later if using 6.0.

The fix involves adding proper input validation for all pointer arguments in the ESP-TEE secure service wrappers, rejecting any pointers referencing TEE-resident memory.

If immediate upgrade is not possible, consider restricting or monitoring local code execution in the Rich Execution Environment (REE) to prevent unprivileged applications from invoking vulnerable TEE service calls.

Applying the security patches from the relevant commits in the esp-idf repository that add missing input validation and improve error handling is also recommended.

Compliance Impact

This vulnerability allows local attackers to read sensitive data residing in the Trusted Execution Environment (TEE) memory, including cryptographic keys and internal pointers. Such exposure of sensitive information can undermine the confidentiality guarantees expected from secure hardware environments.

Because the vulnerability leads to unauthorized disclosure of sensitive data, it could impact compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access.

Organizations using affected Espressif SoCs with ESP-TEE support should consider this vulnerability a risk to confidentiality controls mandated by these standards and should apply the patches to maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45329. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart