CVE-2026-45541
Received Received - Intake
NULL-pointer Dereference in ESP-IDF WebSocket Handshake

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp_http_server component. While parsing the client-supplied Sec-WebSocket-Protocol request header during the WebSocket handshake, the tokenisation result is dereferenced without a NULL check, so a malformed header value can crash the server before any application-level authentication runs. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45541
EUVD
EUVD-2026-35914
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
espressif esp_idf 5.2.6
espressif esp_idf 5.3.5
espressif esp_idf 5.4.4
espressif esp_idf 5.5.4
espressif esp_idf 6.0
espressif esp_idf From 5.2.7 (inc)
espressif esp_idf From 5.3.6 (inc)
espressif esp_idf From 5.4.5 (inc)
espressif esp_idf From 5.5.5 (inc)
espressif esp_idf From 6.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the ESP-IDF framework's esp_http_server component, specifically in the WebSocket subprotocol-negotiation path. It is caused by a NULL-pointer dereference when parsing the client-supplied Sec-WebSocket-Protocol request header during the WebSocket handshake. The code attempts to tokenize the header value without checking if the tokenization result is NULL, which can happen if the header is malformed. This leads to the server crashing before any application-level authentication occurs.

The issue affects multiple versions of ESP-IDF (5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0) and has been fixed in later versions by adding proper NULL checks and length validations in the subprotocol parsing function to prevent dereferencing NULL pointers.

Impact Analysis

This vulnerability can be exploited remotely by an attacker sending a specially crafted Sec-WebSocket-Protocol header during the WebSocket handshake. Because the server crashes upon processing this malformed header, the impact is a denial of service (DoS).

The attacker does not need any privileges or user interaction to exploit this vulnerability, and it can cause the server to become unavailable, potentially disrupting services that rely on the WebSocket server.

Detection Guidance

This vulnerability occurs due to a NULL-pointer dereference in the WebSocket subprotocol-negotiation path when parsing a malformed Sec-WebSocket-Protocol request header. Detection involves monitoring for crashes or denial of service symptoms in the esp_http_server component when handling WebSocket handshake requests.

Since the issue is triggered by malformed Sec-WebSocket-Protocol headers, you can detect attempts by capturing and inspecting WebSocket handshake requests on your network for unusual or malformed Sec-WebSocket-Protocol headers.

Suggested commands to detect potential exploitation attempts include using network packet capture tools like tcpdump or Wireshark to filter WebSocket handshake requests and analyze the Sec-WebSocket-Protocol headers.

  • tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep 'Sec-WebSocket-Protocol'
  • Use Wireshark to filter HTTP requests with the display filter: http.header.sec_websocket_protocol

Additionally, monitoring server logs for crashes or unexpected restarts of the esp_http_server component can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade the ESP-IDF framework to a patched version where this vulnerability is fixed. The patched versions are 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1 or later.

If upgrading immediately is not possible, temporary mitigations include:

  • Avoid enabling WebSocket subprotocol negotiation in your application.
  • Enable mutual TLS authentication to restrict access and reduce the risk of exploitation.

These steps help prevent remote attackers from sending malformed Sec-WebSocket-Protocol headers that could crash the server.

Compliance Impact

This vulnerability causes a denial of service by crashing the server when processing malformed WebSocket subprotocol headers, but it does not lead to information disclosure or data modification.

Since the vulnerability does not expose or alter sensitive data, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA.

However, denial of service incidents can affect availability requirements under these standards, so organizations using affected versions should apply patches or mitigations to maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45541. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart