Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp_http_server component. While parsing the client-supplied Sec-WebSocket-Protocol request header during the WebSocket handshake, the tokenisation result is dereferenced without a NULL check, so a malformed header value can crash the server before any application-level authentication runs. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.
Published: 2026-06-10
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a NULL‑pointer dereference in the WebSocket subprotocol‑negotiation path of the ESP‑IDF esp_http_server component. During the WebSocket handshake, the server parses the client‑supplied Sec-WebSocket-Protocol request header. If the header value is malformed, the tokenisation result is dereferenced without a NULL check, causing the server to crash before any application‑level authentication runs. The flaw is categorized as CWE‑476. The primary impact is a crash that can lead to a denial of service. The vulnerability does not provide direct remote code execution or data exfiltration but can be used to disrupt services.

Affected Systems

Espressif IoT Development Framework (ESP‑IDF) versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0 are affected. These releases include the escaped Sec-WebSocket-Protocol flaw in the HTTP server component. The issue was patched in subsequent releases – 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1 – which add a NULL-check to the tokenisation result.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating high severity. EPSS is not available, so the probability of exploitation in the wild remains unknown. It is not listed in the CISA KEV catalog. The likely attack vector is remote: an attacker can send a crafted WebSocket handshake containing a malformed Sec-WebSocket-Protocol header to a vulnerable server. This can cause the server to crash before authentication, resulting in a denial of service. Given the high severity score and the remote nature of the exploit, organizations running ESP‑IDF must prioritize remediation.

Generated by OpenCVE AI on June 10, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ESP‑IDF firmware to a non‑affected version – at least 5.2.7, 5.3.6, 5.4.5, 5.5.5, or 6.0.1, which contain the NULL‑check patch.
  • Replace any old firmware distribution that contains the vulnerable ESP‑IDF components with updated firmware that has been verified to include the patch.
  • If a firmware update is not immediately possible, adopt a temporary mitigation by validating and sanitizing the Sec-WebSocket‑Protocol header before tokenisation, ensuring malformed values do not trigger the dereference.

Generated by OpenCVE AI on June 10, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Espressif
Espressif esp-idf
Vendors & Products Espressif
Espressif esp-idf

Wed, 10 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp_http_server component. While parsing the client-supplied Sec-WebSocket-Protocol request header during the WebSocket handshake, the tokenisation result is dereferenced without a NULL check, so a malformed header value can crash the server before any application-level authentication runs. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.
Title ESF-IDF: Remote Null Pointer Dereference in WebSocket Server
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Espressif Esp-idf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T00:25:59.233Z

Reserved: 2026-05-12T17:48:47.878Z

Link: CVE-2026-45541

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T02:16:32.960

Modified: 2026-06-10T02:16:32.960

Link: CVE-2026-45541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T03:00:12Z

Weaknesses