Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, the esp_tee component exposes secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c that bridge calls from the user application (i.e. the REE) to TEE-protected hardware peripherals (AES, SHA, ECC, HMAC, SPI, MMU, WDT) and to the security feature like attestation, OTA updates, secure storage. This issue has been patched in versions 5.5.5 and 6.0.1.
Published: 2026-06-10
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds write occurs in the esp_secure_services.c and esp_secure_services_iram.c components of the Espressif IoT Development Framework. These wrappers pass calls from regular user applications in the REE to TEE‑protected hardware peripherals. The write corrupts memory beyond its bounds, enabling an attacker to overwrite adjacent data or control structures. Such memory corruption can subvert cryptographic operations, compromise authentication, or allow arbitrary code execution within the TEE or the device’s core. The weakness is classified as Input Validation (CWE‑20) and Out‑of‑Bounds (CWE‑787).

Affected Systems

Vulnerable releases are esp‑idf 5.5.4 and 6.0. The issue was fixed in subsequent releases 5.5.5 and 6.0.1. All systems deploying these exact versions, particularly embedded IoT devices relying on the ESP‑TEE secure service wrappers, are affected.

Risk and Exploitability

With a CVSS score of 9.3 the vulnerability is rated critical. EPSS score not available and it is not listed in the CISA KEV catalog. The attack requires execution of code in the REE, so the primary vector is local execution of malicious or compromised application code. If the device permits remote code delivery to the REE, an attacker could trigger the OOB write through network‑controlled logic. Exploitation could yield full control over the device, bypass security features, and facilitate further compromise.

Generated by OpenCVE AI on June 10, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Espressif ESP‑IDF framework to at least version 5.5.5 or 6.0.1, which contain the patched secure‑service wrappers.
  • Verify the framework revision used on all devices; ensure the esp_tee component is updated accordingly.
  • As a precaution, disable the esp_tee component or restrict its use if upgrade is not feasible, to prevent the vulnerable code paths from being invoked.

Generated by OpenCVE AI on June 10, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, the esp_tee component exposes secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c that bridge calls from the user application (i.e. the REE) to TEE-protected hardware peripherals (AES, SHA, ECC, HMAC, SPI, MMU, WDT) and to the security feature like attestation, OTA updates, secure storage. This issue has been patched in versions 5.5.5 and 6.0.1.
Title ESF-IDF: Out-of-Bounds Write in ESP-TEE Secure Service Wrappers
Weaknesses CWE-20
CWE-787
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T00:33:43.997Z

Reserved: 2026-05-11T20:50:30.540Z

Link: CVE-2026-45328

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T02:16:32.687

Modified: 2026-06-10T02:16:32.687

Link: CVE-2026-45328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:30:05Z

Weaknesses