Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocomm_ble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keep_ble_on = true. In this configuration, internal protocomm_ble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.
Published: 2026-02-04
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via BLE use‑after‑free
Action: Immediate Patch
AI Analysis

Impact

Resources in the ESP‑IDF BLE provision transport have a use‑after‑free flaw that lets an active or reconnecting BLE client read or write to memory after the provisioning objects are freed. The defect occurs only when provisioning is stopped with keep_ble_on set to true, leaving the GATT services active while the underlying structures are deallocated. The attacker can trigger invalid memory access, which can compromise the integrity of the firmware and potentially allow arbitrary code execution.

Affected Systems

Devices running ESP‑IDF version 5.5.2, 5.4.3, 5.3.4, 5.2.6 or 5.1.6 are vulnerable. The fix is available in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7 and 5.1.7.

Risk and Exploitability

The CVSS score is 6.3 and the EPSS is less than 1 %, indicating a moderate severity but low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker needs to connect to the device while it is in provisioning mode and issue a read or write operation after provisioning has been halted with keep_ble_on true. No authentication or privileged permissions are enumerated, so the attack channel is remote BLE only.

Generated by OpenCVE AI on April 17, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ESP-IDF library to any version 5.5.3 or later, 5.4.4 or later, 5.3.5 or later, 5.2.7 or later, or 5.1.7 or later.
  • Modify the provisioning logic to avoid using keep_ble_on = true when stopping provisioning, ensuring that all BLE resources are released cleanly.
  • If an immediate firmware update is not feasible, disable BLE provisioning or disconnect the BLE client to prevent the exploit from being triggered.

Generated by OpenCVE AI on April 17, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:espressif:esp-idf:5.1.6:*:*:*:*:*:*:*
cpe:2.3:a:espressif:esp-idf:5.2.6:*:*:*:*:*:*:*
cpe:2.3:a:espressif:esp-idf:5.3.4:*:*:*:*:*:*:*
cpe:2.3:a:espressif:esp-idf:5.4.3:*:*:*:*:*:*:*
cpe:2.3:a:espressif:esp-idf:5.5.2:*:*:*:*:*:*:*

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Espressif
Espressif esp-idf
Vendors & Products Espressif
Espressif esp-idf

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocomm_ble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keep_ble_on = true. In this configuration, internal protocomm_ble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.
Title ESF-IDF Has Use-after-free Vulnerability in BLE Provisioning
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Espressif Esp-idf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T19:24:17.464Z

Reserved: 2026-02-02T18:21:42.486Z

Link: CVE-2026-25507

cve-icon Vulnrichment

Updated: 2026-02-04T19:24:11.532Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T18:16:09.360

Modified: 2026-02-20T17:12:46.537

Link: CVE-2026-25507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses