CVE-2026-55687
Received Received - Intake

Buffer Overflow in ESP-IDF JPEG Parser

Vulnerability report for CVE-2026-55687, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. Versions 6.0.1, 5.5.4, 5.4.4, 5.3.5, and possibly prior contain an out-of-bounds write in jpeg_parse_dqt_marker() in components/esp_driver_jpeg/jpeg_parse_marker.c because the attacker-controlled DQT marker Tq nibble is used as an index into the qt_tbl array without validating that it is in the range 0..3, allowing malformed JPEG input to corrupt stack memory and reliably trigger a denial of service. This issue is fixed in version 6.0.2 and is expected to be fixed in versions 5.5.5, 5.4.5, and 5.3.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 9 associated CPEs
Vendor Product Version / Range
espressif esp-idf 6.0.1
espressif esp-idf 5.5.4
espressif esp-idf 5.4.4
espressif esp-idf 5.3.5
espressif esp-idf to 6.0.2 (inc)
espressif esp-idf From 5.5.5 (inc)
espressif esp-idf From 5.4.5 (inc)
espressif esp-idf From 5.3.6 (inc)
espressif esp-idf From 6.0.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the ESP-IDF JPEG decoder, specifically in the function jpeg_parse_dqt_marker(). It occurs because the code uses an attacker-controlled value (the DQT marker Tq nibble) as an index into a fixed-size array (qt_tbl) without checking if the value is within the valid range of 0 to 3. If the value is out of range, it causes an out-of-bounds write on the stack, which can corrupt memory.

The vulnerability can be triggered by processing malformed JPEG images containing crafted DQT segments. This leads to stack memory corruption and reliably causes a denial of service by triggering a stack smashing protection failure on affected ESP32-family devices.

The issue affects ESP-IDF versions 6.0.1, 5.5.4, 5.4.4, 5.3.5, and possibly earlier versions. It has been fixed in version 6.0.2 and is expected to be fixed in upcoming patch releases for other versions.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS). When a device running a vulnerable version of ESP-IDF processes a specially crafted JPEG image, it can cause a stack smashing protection failure, leading to a crash or reboot of the device.

This crash is deterministic and can be repeatedly triggered, making it possible for an attacker to cause persistent denial of service on affected devices.

While the vulnerability involves stack memory corruption, exploitation beyond denial of service has not been demonstrated and depends on the target device's compiler hardening and security configurations.

Detection Guidance

This vulnerability occurs when the ESP-IDF JPEG decoder processes malformed JPEG images containing an out-of-bounds write in the jpeg_parse_dqt_marker() function. Detection involves monitoring for crashes or denial of service events triggered by malformed JPEG data, especially on ESP32-family devices using affected ESP-IDF versions.

Since the vulnerability is triggered by processing attacker-controlled JPEG images, detection can include inspecting JPEG files or network traffic for malformed DQT markers with invalid Tq values (greater than 3).

No explicit detection commands are provided in the resources. However, you can monitor system logs for stack smashing protection failures or panics related to JPEG decoding on ESP32 devices.

Additionally, you can audit the ESP-IDF version running on your devices to check if it is one of the vulnerable versions (6.0.1, 5.5.4, 5.4.4, 5.3.5 or prior). Upgrading to patched versions (6.0.2, 5.5.5, 5.4.5, 5.3.6) is recommended.

Mitigation Strategies

The primary mitigation step is to upgrade the ESP-IDF framework to a patched version where the vulnerability is fixed.

  • Upgrade to ESP-IDF version 6.0.2 or later, or to versions 5.5.5, 5.4.5, or 5.3.6 where the fix is applied.
  • The upgrade can be performed by cloning the patched release branch using the command: git clone -b v6.0.2 --recursive https://github.com/espressif/esp-idf.git esp-idf-v6.0.2

The fix includes validation of the Tq nibble in the DQT marker to ensure it is within the valid range (0..3), rejecting malformed JPEG inputs that could cause stack corruption.

If immediate upgrade is not possible, consider restricting or sanitizing JPEG inputs from untrusted sources to prevent malformed images from being processed.

Compliance Impact

The vulnerability in the ESP-IDF JPEG decoder causes a denial of service through stack memory corruption triggered by malformed JPEG input. It primarily impacts system availability by causing crashes on affected devices.

There is no direct information in the provided context or resources about the vulnerability leading to unauthorized access, data leakage, or compromise of personal or sensitive data.

Therefore, while the vulnerability could affect system availability, which is a component of some compliance frameworks, there is no explicit indication that it impacts confidentiality or integrity aspects critical to standards like GDPR or HIPAA.

Organizations relying on ESP-IDF JPEG decoding in their IoT devices should consider the denial of service risk in their availability controls but no direct compliance violation related to data protection is evident from the provided information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55687. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart