cbcvebase.
CVE-2026-45541
published 2026-06-10

CVE-2026-45541: ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in…

PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.44%
35.1th percentile
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp_http_server component. While parsing the client-supplied Sec-WebSocket-Protocol request header during the WebSocket handshake, the tokenisation result is dereferenced without a NULL check, so a malformed header value can crash the server before any application-level authentication runs. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.

Affected

10 ranges
VendorProductVersion rangeFixed in
espressifesp-idf
espressifesp-idf
espressifesp-idf
espressifesp-idf
espressifesp-idf
espressifesp-idf
espressifesp-idf
espressifesp-idf
espressifesp-idf
espressifesp-idf
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.