The vulnerability is an out‑of‑bounds read in ESP‑TEE secure service wrappers. The wrappers did not fully validate the caller‑supplied pointers, allowing an application to pass addresses that map to TEE‑exclusive memory. Because the underlying TEE peripherals run in machine mode with full address‑space visibility, the peripheral could read data from those addresses and return it to the normal world, leaking raw bytes or derived values. Depending on the wrapper, the data could be directly returned, computed functions of the TEE memory, or a single bit that acts as an oracle for incremental disclosure. The vulnerability can therefore compromise the confidentiality of sensitive data stored in secure memory. No mention of privilege escalation or code execution. Thus the primary impact is information disclosure.

Espressif’s ESP‑IDF framework is affected. Versions 5.5.4 and 6.0 contain the vulnerable wrappers located in esp_secure_services.c and esp_secure_services_iram.c. The issue was fixed in version 5.5.5 and 6.0.1. All ESP‑IDF builds that include these files in the cited versions are impacted until the patch is applied.

The CVSS score of 7.1 indicates a high severity. EPSS and KEV data are not available or listed, so there is no current public exploitation evidence. The vulnerability is exploitable by any code that can call the insecure secure‑service wrappers, likely a local or firmware exploit actor with higher privilege. The potential impact is the leakage of a portion or all of the TEE’s sensitive memory, which could enable attackers to recover cryptographic keys or other secrets. An attacker would need to craft a call to the vulnerable wrapper with pointers to TEE memory, a condition reasonably easy to achieve if the application is not validated. Because the attack is local, careful containment of the secure services or version upgrade mitigates the risk promptly.