HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45542Published Modified CNA GitHub_M

CVE-2026-45542: ESF-IDF: Heap buffer overflow in protocomm Security2 over Bluetooth

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a heap buffer overflow exists in the Security Scheme 2 (SRP6a) session-setup path of the protocomm component. The first-phase handler (handle_session_command0() in components/protocomm/src/security/security2.c) trusts the length of a client-supplied protobuf field for the SRP6a username and copies it into a buffer whose size is derived from a narrower destination type. The resulting truncation-versus-copy asymmetry corrupts the heap when an oversized value is supplied. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A heap buffer overflow exists in the protocomm Security2 (SRP6a) session-setup path of Espressif's ESP-IDF framework, affecting versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0. An unauthenticated attacker on the same network segment as the device (such as a local Wi-Fi or Bluetooth-adjacent link) can send an oversized SRP6a username field during pairing setup, triggering heap corruption without any user interaction. Successful exploitation lets an attacker corrupt process memory, crashing the affected service or manipulating heap-resident data. Patched-image rebuilds at versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle an affected ESP-IDF version. Any image layer containing one of the affected ESP-IDF release strings is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 7.1 (HIGH) and weights it further against each environment's compliance policy to determine urgency tier and routing. Alerts are directed to the appropriate team inbox within each customer organization based on configured ownership rules for the affected image namespace.

Available
Patch

Once upstream fix versions (5.2.7, 5.3.6, 5.4.5, 5.5.5, or 6.0.1) are resolvable, patched-image rebuilds become available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes the regression test suite against the new image, and opens a pull request against affected workloads. Because no fix version is currently published for the 6.0 release line, HarborGuard re-checks the advisory on each ingest cycle and will make a patched rebuild available the moment upstream ships a confirmed fix for any remaining affected release.

Pending upstream

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be on an adjacent network segment (such as the same local Wi-Fi, Bluetooth pairing range, or LAN) to reach the protocomm endpoint; remote internet-based access is not sufficient.

  • AuthenticationNot required

    No credentials or account are needed; the overflow is triggered during the pre-authentication SRP6a session-setup handshake.

  • Victim interactionNot required

    No user action is required on the target device; the attacker sends a malformed pairing request directly to the service.

  • Attack complexityDetail

    The exploit is reliable and condition-free once adjacent-network access is established; no race conditions or special environmental state are required.

Blast Radius

  • An attacker can crash the protocomm service on the target device by corrupting heap metadata, causing a denial of service that requires a device reboot to recover.
  • Heap corruption gives an attacker the ability to overwrite adjacent heap allocations, which may allow manipulation of session state or protocol handler data in memory.
  • Because integrity of heap-resident data is compromised (CVSS I:L), an attacker may be able to alter provisioning parameters or pairing credentials stored near the overflowed buffer.
  • Confidentiality of data on the device is not directly exposed by this vulnerability (CVSS C:N), so passive data disclosure is not an expected outcome of this exploit path.

How HarborGuard Handles This

Available on HarborGuard: detection against all five affected ESP-IDF release strings is active and matches images in customer registries and pipelines from the moment the CVE record is ingested. For environments running 5.2.6, 5.3.5, 5.4.4, or 5.5.4 where fix versions (5.2.7, 5.3.6, 5.4.5, 5.5.5) are resolvable, patched-image rebuilds are available now. For customers who opt into auto-remediation, HarborGuard can rebuild the affected image at the fix version, run regression tests, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For the 6.0 release line, where no fix is yet published, HarborGuard monitors the advisory on every ingest cycle and will trigger the rebuild-and-PR flow the moment a confirmed upstream fix is available. Where compliance policy permits, customers may also apply compensating controls in the interim by isolating devices running affected firmware behind network-policy rules that restrict adjacency exposure, limiting Bluetooth or provisioning-interface access to trusted network segments only.

See how HarborGuard automates this
Affected packages
  • espressif / esp-idf
    = 5.2.6 · = 5.3.5 · = 5.4.4 · = 5.5.4 · = 6.0
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
References