CVE-2026-25507
Last modified
CVE-2026-25507 is a medium-severity vulnerability rated 6.3/10 on the CVSS scale. ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocomm_ble) layer. EPSS estimates a 0.20% chance of exploitation in the next 30 days.
Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocomm_ble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keep_ble_on = true. In this configuration, internal protocomm_ble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.
Metrics
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Espressif | Esp-Idf | 5.1.6 |
| Espressif | Esp-Idf | 5.2.6 |
| Espressif | Esp-Idf | 5.3.4 |
| Espressif | Esp-Idf | 5.4.3 |
| Espressif | Esp-Idf | 5.5.2 |
References
- https://github.com/espressif/esp-idf/security/advisories/GHSA-h7r3-gmg9-xjmgThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-25507?
How severe is CVE-2026-25507?
How do I fix CVE-2026-25507?
Are you affected by CVE-2026-25507?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST