CVE-2026-45541: ESF-IDF: Remote Null Pointer Dereference in WebSocket Server
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp_http_server component. While parsing the client-supplied Sec-WebSocket-Protocol request header during the WebSocket handshake, the tokenisation result is dereferenced without a NULL check, so a malformed header value can crash the server before any application-level authentication runs. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A null-pointer dereference in the WebSocket server component of Espressif's ESP-IDF framework allows a remote, unauthenticated attacker to crash the server by sending a malformed Sec-WebSocket-Protocol header during the WebSocket handshake. The crash occurs in the subprotocol-negotiation tokenization path before any application-level authentication runs, making it reachable without any prior access. Successful exploitation causes a denial of service by bringing down the HTTP server process. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream fix versions are confirmed in published package metadata.
HarborGuard Coverage
Detection of CVE-2026-45541 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle ESP-IDF components. Any image in a connected registry or CI pipeline that carries an affected ESP-IDF version (5.2.6, 5.3.5, 5.4.4, 5.5.4, or 6.0) will surface a finding automatically.
AvailableTriage capability is available with a CVSS v3.1 base score of 7.5 (HIGH), surfaced alongside per-environment compliance policy weighting so teams can calibrate urgency against their own risk thresholds. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableBecause no fix versions have been confirmed in upstream package metadata at the time of publication, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fixed release (5.2.7, 5.3.6, 5.4.5, 5.5.5, or 6.0.1) appears in the upstream feed. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger automatically at that point, without requiring manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable WebSocket handshake path is exposed over the network; an attacker must be able to send an HTTP upgrade request to the ESP-IDF HTTP server to trigger the crash.
- AuthenticationNot required
The null-pointer dereference fires during header parsing before any application-level authentication runs, so no credentials or session token are needed.
- Victim interactionNot required
The attacker sends a single crafted request to the server; no user action or social engineering is required.
- Attack complexityDetail
Attack complexity is low; the exploit requires only a malformed Sec-WebSocket-Protocol header value and is reliable without any race condition or specific environmental prerequisite.
Blast Radius
- Crashes the ESP-IDF HTTP server process, taking down all WebSocket and HTTP endpoints it serves.
- Causes a full denial of service for any IoT device or embedded system running the affected ESP-IDF version, with no path to data disclosure or modification.
- Because the crash precedes authentication, any device with its WebSocket server reachable from an untrusted network is affected regardless of configured access controls.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-45541 is active now, with findings generated for any image carrying ESP-IDF versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, or 6.0. Because upstream fix packages have not yet been confirmed in public metadata, no patched rebuild is available today. HarborGuard re-checks the advisory on every ingest cycle; when fixed versions (5.2.7, 5.3.6, 5.4.5, 5.5.5, or 6.0.1) appear in the upstream feed, a patched-image rebuild becomes available automatically. For customers with auto-remediation enabled, the full flow (rebuild, regression run, PR against affected workloads) triggers without manual steps. In the interim, compensating controls to consider include network-policy isolation that restricts inbound WebSocket upgrade requests to trusted source ranges, egress filtering to limit lateral movement if a device is crashed and rebooted into a degraded state, and feature-flag gating to disable the WebSocket server component where it is not operationally required.
- espressif / esp-idf= 6.0 · = 5.5.4 · = 5.4.4 · = 5.3.5 · = 5.2.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H- https://github.com/espressif/esp-idf/security/advisories/GHSA-3j8v-xgrq-5vg8
- https://github.com/espressif/esp-idf/commit/00a2f7fbbbd8fe6d04729022e1d5c9a49435bfe8
- https://github.com/espressif/esp-idf/commit/0dc4ee7537f3b12350f5966cecacd59bba840ec6
- https://github.com/espressif/esp-idf/commit/37508ab91124ef426a7396d30f79eba1162700c7
- https://github.com/espressif/esp-idf/commit/9fc0ca13b3b85b98d32b98cd9dc8ff9d82642b7b
- https://github.com/espressif/esp-idf/commit/dc46dc51359749e50617eb70d6f9ae298adc4fff
- https://github.com/espressif/esp-idf/commit/f88a47e4f37fb11ae4b0908cd5c80059d83198c6