CVE-2026-45541: ESP-IDF WebSocket NULL Pointer DoS Vulnerability – High Severity
A flaw exists in Espressif's IoT Development Framework (ESP-IDF) that allows an attacker to crash a WebSocket server by sending a specially crafted network request during the initial connection handshake. The server fails to safely validate a specific HTTP header before attempting to process it, causing an immediate denial of service. No authentication is required—an unauthenticated attacker on the network can trigger this crash remotely.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp_http_server component. While parsing the client-supplied Sec-WebSocket-Protocol request header during the WebSocket handshake, the tokenisation result is dereferenced without a NULL check, so a malformed header value can crash the server before any application-level authentication runs. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45541 is a NULL-pointer dereference vulnerability in the esp_http_server component's WebSocket subprotocol-negotiation handler. During WebSocket handshake processing, the esp_http_server parses the client-supplied Sec-WebSocket-Protocol header and tokenizes the value. The code dereferences the tokenization result without verifying it is non-NULL, allowing a malformed header to trigger a NULL-pointer dereference and crash the server process. The vulnerability is classified as CWE-476 (NULL Pointer Dereference). Attack surface is pre-authentication—no prior compromise or valid credentials are needed.
Business impact
Organizations deploying ESP-IDF-based IoT devices with WebSocket functionality face potential service disruption. A remote attacker can repeatedly crash the device's HTTP server, disrupting legitimate WebSocket connections and any dependent monitoring, control, or data-streaming workflows. In industrial IoT, connected vehicles, or smart-home deployments, this can degrade safety and availability. Repeated crashes may also accelerate hardware wear or create attack openings for secondary exploitation if device restarts are infrequent or unmonitored.
Affected systems
Espressif ESP-IDF versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0 are vulnerable. Any device or application running these versions with WebSocket support enabled and exposed to untrusted network traffic is at risk. Patches are available: ESP-IDF 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1 contain the fix. Verify your deployed ESP-IDF version against release notes; many embedded IoT products do not automatically update.
Exploitability
Exploitability is straightforward: an attacker with network access to a vulnerable WebSocket endpoint can craft a single malformed Sec-WebSocket-Protocol header (e.g., a header with specific null-byte or truncated patterns) and send it as part of a WebSocket upgrade request. No special tools, authentication, or user interaction are required. The CVSS score of 7.5 (HIGH) reflects ease of remote exploitation and guaranteed availability impact, though confidentiality and integrity are unaffected.
Remediation
Apply the patched ESP-IDF version corresponding to your current release series: upgrade 5.2.x to 5.2.7 or later, 5.3.x to 5.3.6 or later, 5.4.x to 5.4.5 or later, 5.5.x to 5.5.5 or later, or 6.0 to 6.0.1 or later. If immediate patching is not feasible, disable WebSocket support in the HTTP server configuration or restrict network access to the server (firewall, VPN, or network segmentation) until patching is completed. Test patches in a staging environment before production rollout, especially for widely-deployed embedded devices.
Patch guidance
Espressif has released patched versions for all affected branches. Obtain updates from the official ESP-IDF GitHub repository or your device vendor's firmware distribution channel. Verify the patch by checking the component version in your build or by inspecting the esp_http_server source code for NULL checks around Sec-WebSocket-Protocol tokenization. If your device is supplied by a third-party vendor or OEM, contact them to confirm patch availability and rollout timeline; many IoT devices receive updates through vendor release schedules, not Espressif directly.
Detection guidance
Monitor ESP-IDF deployments for unexpected server restarts or unresponsive WebSocket services. Enable HTTP server logging and watch for malformed or truncated Sec-WebSocket-Protocol headers in access logs or crash dumps. Network intrusion detection systems can be tuned to flag WebSocket upgrade requests with suspiciously formatted or null-containing subprotocol headers. Review device firmware versions in your asset inventory against the vulnerable releases listed above. In a lab environment, attempt a WebSocket upgrade with a crafted Sec-WebSocket-Protocol header (e.g., a header with embedded nulls or truncation) to confirm if a device is vulnerable before patching.
Why prioritize this
This vulnerability merits urgent attention because it is unauthenticated, remotely exploitable, and results in guaranteed denial of service. It affects a widely-used embedded framework across IoT products. The pre-authentication attack surface means attackers do not need prior system access. Although CVSS confidentiality and integrity scores are zero, availability impact is severe and can be triggered repeatedly. Prioritize patching production and critical IoT deployments first, particularly those exposed to untrusted networks.
Risk score, explained
CVSS 7.5 (HIGH) reflects: network-based attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high availability impact (A:H). The score appropriately captures the ease and scope of exploitation despite the absence of confidentiality or integrity risk. For organizations with defense-in-depth controls (network segmentation, rate limiting, or graceful crash recovery), actual risk may be somewhat lower; conversely, organizations with critical availability requirements or minimal monitoring may perceive higher operational risk.
Frequently asked questions
Can an attacker read or modify data on the device through this vulnerability?
No. This is a denial-of-service vulnerability only. An attacker can crash the HTTP server process but cannot leak sensitive data, modify files, or escalate privileges through this flaw. However, a crash could create an opening for follow-up attacks if the device fails to restart reliably or if other services on the device become accessible during downtime.
Do I need to upgrade immediately, or can I wait for the next firmware cycle?
This depends on your deployment model and risk tolerance. If your devices are exposed to untrusted networks (the public internet, open WiFi, etc.) and WebSocket is enabled, patching should be prioritized within your next maintenance window—do not wait for a routine update cycle. If devices are isolated on a secured internal network or WebSocket is not in use, you can plan the upgrade more flexibly. Either way, plan to patch within 30–60 days.
What if my device vendor has not released a patched firmware version yet?
Contact your vendor's support team and request a timeline for patching. In the interim, apply network-level mitigations: restrict access to the device's HTTP server using a firewall or VPN, disable WebSocket if not required, or deploy a reverse proxy with validation. Monitor the device for unexpected restarts that could indicate exploitation attempts.
Is this vulnerability already being exploited in the wild?
CVE-2026-45541 is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning no evidence of active exploitation has been publicly reported as of the vulnerability's publication date. However, the simplicity of exploitation means attacks could emerge quickly once awareness spreads. Assume potential exploitation risk within weeks and prioritize patching accordingly.
This analysis is based on publicly available vulnerability data and vendor disclosures as of the publication date. Security landscapes evolve rapidly; threat actors may develop new exploitation techniques or discovery methods not reflected here. This content is for informational purposes and does not constitute professional security advice. Organizations should conduct their own risk assessment, verify patch applicability to their specific deployments, and perform testing before production deployment. SEC.co assumes no liability for decisions made based on this intelligence. Always consult your vendor's official security advisory and your organization's security policies. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-55657HIGHGPAC MP4Box NULL Pointer Dereference Denial of Service
- CVE-2025-59604HIGHQualcomm Snapdragon Memory Corruption Vulnerability – HIGH Severity
- CVE-2025-59606HIGHQualcomm Chipset Memory Corruption Local Privilege Escalation
- CVE-2025-62850HIGHQNAP QuTS hero NULL Pointer Dereference DoS Vulnerability
- CVE-2025-66281HIGHQNAP NULL Pointer Dereference DoS Vulnerability (HIGH)
- CVE-2025-70099HIGHNULL Pointer Dereference in lwext4 Directory Parsing (Denial of Service)
- CVE-2026-24716HIGHQNAP NULL Pointer Dereference DoS Vulnerability – Patch Guidance
- CVE-2026-3238HIGHSamba WINS Server NULL Pointer Dereference DoS Vulnerability