Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a heap buffer overflow exists in the Security Scheme 2 (SRP6a) session-setup path of the protocomm component. The first-phase handler (handle_session_command0() in components/protocomm/src/security/security2.c) trusts the length of a client-supplied protobuf field for the SRP6a username and copies it into a buffer whose size is derived from a narrower destination type. The resulting truncation-versus-copy asymmetry corrupts the heap when an oversized value is supplied. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.
Published: 2026-06-10
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a heap buffer overflow in Espressif's protocomm component, specifically during the SRP6a session‑setup path. A client can send an oversized username field within a protobuf message which the handler copies into a smaller buffer. The overflow corrupts heap memory and can enable arbitrary code execution or cause a crash. The vulnerability is a classic heap corruption (CWE‑122).

Affected Systems

Espressif ESP‑IDF development framework versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0 are affected. The issue is located in the Security Scheme 2 (SRP6a) implementation in components/protocomm/src/security/security2.c and impacts Bluetooth communication with IoT devices using this framework.

Risk and Exploitability

The CVSS base score is 7.1, indicating high severity. EPSS is not available, but the lack of a publicly known exploit and absence from CISA KEV suggest a moderate exploitation likelihood. A remote attacker must establish a Bluetooth connection and transmit a crafted protobuf message, so the attack vector is remote over a wireless channel. The vulnerability can lead to code execution or denial of service once the buffer overwrite is triggered. The issue has been patched in 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.

Generated by OpenCVE AI on June 10, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ESP-IDF to the fixed release (5.2.7, 5.3.6, 5.4.5, 5.5.5, or 6.0.1).
  • Verify that the protocomm Security Scheme 2 is active and that Bluetooth authentication uses SRP6a; if not needed, disable or remove the component.
  • Restrict Bluetooth connections to trusted devices only and enforce input length validation on the server side by limiting the username field size.

Generated by OpenCVE AI on June 10, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a heap buffer overflow exists in the Security Scheme 2 (SRP6a) session-setup path of the protocomm component. The first-phase handler (handle_session_command0() in components/protocomm/src/security/security2.c) trusts the length of a client-supplied protobuf field for the SRP6a username and copies it into a buffer whose size is derived from a narrower destination type. The resulting truncation-versus-copy asymmetry corrupts the heap when an oversized value is supplied. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.
Title ESF-IDF: Heap buffer overflow in protocomm Security2 over Bluetooth
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T00:34:53.238Z

Reserved: 2026-05-12T17:48:47.879Z

Link: CVE-2026-45542

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T02:16:33.103

Modified: 2026-06-10T02:16:33.103

Link: CVE-2026-45542

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:30:05Z

Weaknesses