Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.7, 5.3.5, 5.4.4, 5.5.4, and 6.0.1, an out-of-bounds read flaw exists in the DHCP server option parser (parse_options() in components/lwip/apps/dhcpserver/dhcpserver.c) shipped with ESP-IDF's lwIP component. The parser walks the BOOTP/DHCP options field without validating that each option's length byte and declared payload length stay within the received packet buffer. A crafted DHCP request can cause the parser to read past the end of the options buffer into adjacent heap memory. The issue affects the DHCP server used by ESP-IDF's SoftAP and any configuration where the device runs as a DHCP server on a local network. This issue has been patched in versions 5.2.8, 5.3.6, 5.4.5, 5.5.5, and 6.0.2.
Published: 2026-06-10
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In certain versions of the ESP-IDF framework the DHCP server option parser will read past the end of the options buffer when it processes a DHCP request. This out‑of‑bounds read can expose adjacent heap memory constructed by the same kernel thread, potentially leaking sensitive data. The flaw is a classic input validation failure identified as CWE‑125.

Affected Systems

Affected are Espressif's ESP-IDF framework versions 5.2.7, 5.3.5, 5.4.4, 5.5.4, and 6.0.1. These versions deploy the lwIP component that contains the vulnerable DHCP server code used in SoftAP modes and devices configured to act as a local DHCP server.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score is not available, so the public exploitation probability is uncertain. The vulnerability is not in CISA's KEV catalog, but an attacker with access to the DHCP traffic on the local network could craft a malformed request to trigger the read. The exploit requires network access to the device and the ability to send DHCP packets, which is feasible for an attacker connected to the same LAN.

Generated by OpenCVE AI on June 10, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ESP-IDF to at least version 5.2.8, 5.3.6, 5.4.5, 5.5.5, or 6.0.2 where the bug is fixed.
  • If DHCP server functionality is not required, disable the SoftAP DHCP server or any local DHCP service.
  • Apply network segmentation or firewall rules to restrict DHCP requests to trusted sources until the firmware is updated.

Generated by OpenCVE AI on June 10, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Espressif
Espressif esp-idf
Vendors & Products Espressif
Espressif esp-idf

Wed, 10 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.7, 5.3.5, 5.4.4, 5.5.4, and 6.0.1, an out-of-bounds read flaw exists in the DHCP server option parser (parse_options() in components/lwip/apps/dhcpserver/dhcpserver.c) shipped with ESP-IDF's lwIP component. The parser walks the BOOTP/DHCP options field without validating that each option's length byte and declared payload length stay within the received packet buffer. A crafted DHCP request can cause the parser to read past the end of the options buffer into adjacent heap memory. The issue affects the DHCP server used by ESP-IDF's SoftAP and any configuration where the device runs as a DHCP server on a local network. This issue has been patched in versions 5.2.8, 5.3.6, 5.4.5, 5.5.5, and 6.0.2.
Title ESF-IDF: Out-of-bounds Read in lwIP DHCP Server Option Parser
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Espressif Esp-idf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T00:26:34.381Z

Reserved: 2026-05-08T20:44:38.965Z

Link: CVE-2026-45160

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T02:16:32.520

Modified: 2026-06-10T02:16:32.520

Link: CVE-2026-45160

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:45:15Z

Weaknesses