HIGH 7.1

CVE-2026-45542: ESP-IDF Heap Buffer Overflow in SRP6a Security Scheme

A heap buffer overflow vulnerability exists in Espressif's IoT Development Framework (ESP-IDF) affecting the Security Scheme 2 (SRP6a) component used during initial device provisioning and session setup. When a device receives a provisioning request with a specially crafted username field, the security handler copies the user-supplied length into a smaller buffer than intended, corrupting heap memory and potentially causing the device to crash or behave unpredictably. An attacker within network range of the target device can trigger this without authentication.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Weaknesses (CWE)
CWE-122
Affected products
5 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a heap buffer overflow exists in the Security Scheme 2 (SRP6a) session-setup path of the protocomm component. The first-phase handler (handle_session_command0() in components/protocomm/src/security/security2.c) trusts the length of a client-supplied protobuf field for the SRP6a username and copies it into a buffer whose size is derived from a narrower destination type. The resulting truncation-versus-copy asymmetry corrupts the heap when an oversized value is supplied. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45542 is a CWE-122 (heap buffer overflow) in the protocomm component's Security Scheme 2 implementation. The vulnerable code path is handle_session_command0() in components/protocomm/src/security/security2.c. The flaw occurs because the first-phase SRP6a session handler trusts the length field from a client-supplied protobuf message when copying an SRP6a username. The destination buffer size is derived from a narrower data type than the source length, creating a truncation-versus-copy asymmetry. When an attacker supplies a length value exceeding the destination buffer capacity, the memcpy or similar operation writes beyond the allocated heap region. This corrupts adjacent heap structures and can lead to denial of service or information disclosure.

Business impact

Espressif chips running affected ESP-IDF versions are commonly used in smart home devices, industrial IoT controllers, and connected appliances. A remotely triggered heap corruption during provisioning could allow an attacker to remotely crash or destabilize thousands of deployed IoT devices without requiring authentication or valid credentials. For manufacturers, this may result in support escalations, field firmware updates, warranty claims, and reputational damage if widespread exploits emerge.

Affected systems

The vulnerability affects ESP-IDF versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0. Patched versions are 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1. Any embedded Linux or RTOS device running an unpatched Espressif IoT framework with the SRP6a provisioning pathway enabled is at risk. This includes many commercial IoT products that use Espressif SoCs (ESP32, ESP32-S3, etc.) and have not yet incorporated the latest SDK.

Exploitability

The attack requires network adjacency (AV:A) but no authentication or user interaction. An attacker on the same local network can craft a malicious protobuf packet and send it to the device's provisioning port. The vulnerability is straightforward to trigger programmatically once network access is achieved. However, it is not listed on CISA's Known Exploited Vulnerabilities catalog, suggesting active in-the-wild exploitation has not been publicly confirmed as of the published date. The low complexity (AC:L) and ease of packet crafting make this a moderate-to-high concern for IoT-dense environments.

Remediation

Update ESP-IDF to the patched versions: 5.2.7, 5.3.6, 5.4.5, 5.5.5, or 6.0.1 or later. For deployed devices, coordinate with the device manufacturer to obtain and test a firmware update. If the manufacturer has not released a patch, mitigate by restricting network access to provisioning interfaces (e.g., via firewall rules, VLANs, or disabling provisioning after initial setup). Monitor for unusual device restarts or misbehavior during provisioning operations.

Patch guidance

Developers using ESP-IDF should upgrade immediately: prioritize ESP-IDF 6.0.1 if possible for access to the latest stable features and security improvements. For legacy products on older release branches (5.2, 5.3, 5.4, 5.5), apply the corresponding patch version (e.g., 5.5.5). Test the patched version in a staging environment before deploying to production to ensure compatibility with proprietary code and dependencies. Device manufacturers must validate the patched SDK against their hardware and application before rolling out field updates.

Detection guidance

Look for failed or unusual provisioning attempts on local networks where ESP-IDF devices operate. Network intrusion detection can identify malformed protobuf packets sent to provisioning ports (commonly port 80, 443, or custom ports). Monitor device logs for unexpected heap errors, stack traces referencing security2.c, or abrupt restarts during provisioning. In constrained IoT environments, correlate device reboots with the presence of unpatched firmware versions (use device inventory or firmware scanning tools). Note that this is a memory corruption bug rather than a network protocol exploit, so packet-level detection may be difficult without deep protobuf inspection.

Why prioritize this

Although the vulnerability requires network adjacency and is not yet listed as exploited in the wild, the combination of ease of exploitation (no authentication), widespread use of Espressif in IoT products, and the severity of heap corruption (denial of service + potential code execution) warrants urgent patching. The CVSS score of 7.1 reflects high availability impact and low integrity impact; the lack of confidentiality impact suggests the primary risk is device unavailability rather than data theft. For manufacturers with thousands of deployed devices, this is a critical firmware update priority.

Risk score, explained

The CVSS 3.1 score of 7.1 (HIGH) reflects: Attack Vector=Adjacent (local network only, not internet-facing); Attack Complexity=Low (straightforward crafted packet); Privileges Required=None; User Interaction=None; Scope=Unchanged; Confidentiality=None (no data leakage); Integrity=Low (potential corruption of device state or memory); Availability=High (device crash/denial of service). The score appropriately weights the ease of triggering a crash against the requirement for network adjacency, which limits widespread impact to devices on the same network as an attacker.

Frequently asked questions

Can this vulnerability be exploited remotely over the internet?

No. The attack vector is adjacency (AV:A), meaning the attacker must be on the same local network as the target device. It cannot be triggered from the internet without network access to the device's provisioning interface.

Does the device need to be in provisioning mode to be vulnerable?

Yes. The vulnerability is in the session-setup path of Security Scheme 2, which is active during provisioning or when the device is awaiting initial configuration. If provisioning is disabled or the device is fully configured, the attack surface is reduced. However, verify your device's specific design.

Can this lead to remote code execution?

The vulnerability is a heap buffer overflow, which is a memory corruption bug. While such bugs can sometimes be chained into code execution, the CVSS score and public description indicate the primary impact is denial of service (device crash). Any RCE path would depend on heap layout, ASLR, and application-specific factors and is not explicitly documented.

How do I know if my device is affected?

Check the device's firmware version against the ESP-IDF version it was built with. Manufacturers typically list ESP-IDF version in release notes or product documentation. If your device uses ESP-IDF 5.2.6, 5.3.5, 5.4.4, 5.5.4, or 6.0, it is vulnerable. Contact the manufacturer for a patched firmware release.

This analysis is provided for informational purposes. While we strive for accuracy, vulnerabilities evolve as research progresses. Always consult the official Espressif advisory and test patches in your environment before production deployment. SEC.co does not provide legal, warranty, or liability assurances. Security decisions should align with your organization's risk tolerance and regulatory requirements. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).