Description
A weakness has been identified in 78 xiaozhi-esp32 up to 2.2.6. Affected by this issue is the function ParseMessage of the file main/mcp_server.cc of the component MCP Response Handler. This manipulation causes improper synchronization. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.
Published: 2026-06-28
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the ParseMessage function of the MCP Response Handler in 78 xiaozhi-esp32 versions up to 2.2.6. It allows an attacker to trigger an improper synchronization race condition, which can be exploited remotely. The attack has a high complexity and is known to be difficult, yet an exploit is publicly available. The weakness corresponds to CWE-662.

Affected Systems

All installations of 78 xiaozhi-esp32 running versions 2.2.6 or earlier are affected. No specific sub‑versions are listed; the issue applies to the product as released up to the identified cut‑off.

Risk and Exploitability

The CVSS score of 2.3 classifies the issue as low severity, and the EPSS score is not available. The public exploit indicates that exploitation is possible, but the high attack complexity and lack of a KEV listing suggest limited real‑world use at present. Monitoring threat intelligence for any change in exploit activity is recommended.

Generated by OpenCVE AI on June 28, 2026 at 13:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch once the pull request is merged and a new release containing the fix is available.
  • If an update cannot be applied immediately, limit exposure by restricting network traffic to the MCP Response Handler or disabling the vulnerable interface.
  • Subscribe to the 78 xiaozhi-esp32 GitHub repository and relevant vulnerability feeds to stay informed of future patches or workarounds.

Generated by OpenCVE AI on June 28, 2026 at 13:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in 78 xiaozhi-esp32 up to 2.2.6. Affected by this issue is the function ParseMessage of the file main/mcp_server.cc of the component MCP Response Handler. This manipulation causes improper synchronization. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.
Title 78 xiaozhi-esp32 MCP Response mcp_server.cc ParseMessage improper synchronization
First Time appeared 78
78 xiaozhi-esp32
Weaknesses CWE-662
CPEs cpe:2.3:a:78:xiaozhi-esp32:*:*:*:*:*:*:*:*
Vendors & Products 78
78 xiaozhi-esp32
References
Metrics cvssV2_0

{'score': 2.1, 'vector': 'AV:N/AC:H/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

78 Xiaozhi-esp32
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-28T10:45:08.559Z

Reserved: 2026-06-27T15:50:21.113Z

Link: CVE-2026-13489

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T16:15:03Z

Weaknesses