CVE-2026-25507— ESF-IDF Has Use-after-free Vulnerability in BLE Provisioning
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-25507
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ESF-IDF Has Use-after-free Vulnerability in BLE Provisioning
Source: NVD (National Vulnerability Database)
Vulnerability Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocomm_ble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keep_ble_on = true. In this configuration, internal protocomm_ble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
释放后使用
Source: NVD (National Vulnerability Database)
Vulnerability Title
ESP-IDF 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
ESP-IDF是Espressif开源的一个 Windows、Linux 和 macOS 上支持的 Espressif SoC 的开发框架。 ESP-IDF 5.5.2版本、5.4.3版本、5.3.4版本、5.2.6版本和5.1.6版本存在资源管理错误漏洞,该漏洞源于BLE配置传输层存在释放后重用问题,可能导致无效内存访问。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-25507
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-25507
请登录查看更多情报信息。
Same Patch Batch · espressif · 2026-02-04 · 3 CVEs total
| CVE-2026-25532 | 6.3 MEDIUM | ESF-IDF is Vulnerable to WPS Enrollee Fragment Integer Underflow |
| CVE-2026-25508 | 6.3 MEDIUM | ESF-IDF Has Memory Safety Vulnerabilities in BLE Provisioning |
IV. Related Vulnerabilities
Same product: esp-idf
- CVE-2026-25508
ESF-IDF Has Memory Safety Vulnerabilities in BLE Provisionin - CVE-2026-25532
ESF-IDF is Vulnerable to WPS Enrollee Fragment Integer Under - CVE-2025-68474
ESF-IDF Has Out-of-Bounds Write in ESP32 Bluetooth AVRCP Ven - CVE-2025-68473
ESF-IDF Has Out-of-Bounds Read in ESP32 Bluetooth SDP Result - CVE-2025-66409
ESF-IDF has an Out-of-Bounds Read in ESP32 Bluetooth AVRCP C
Same vendor: espressif
- CVE-2026-41429
Improper validation of NBNS name_len in arduino-esp32 NetBIO - CVE-2026-25508
ESF-IDF Has Memory Safety Vulnerabilities in BLE Provisionin - CVE-2026-25532
ESF-IDF is Vulnerable to WPS Enrollee Fragment Integer Under - CVE-2025-68657
espressif/usb_host_hid Double-Free Race Condition in USB Hos - CVE-2025-68656
Espressif ESP-IDF USB Host HID (Human Interface Device) Driv
V. Comments for CVE-2026-25507
No comments yet