cbcvebase.
CVE-2026-45542
published 2026-06-10

CVE-2026-45542: ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a heap buffer overflow exists in the…

PriorityP334high7.1CVSS 3.1
AVAACLPRNUINSUCNILAH
EPSS
0.33%
24.2th percentile
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a heap buffer overflow exists in the Security Scheme 2 (SRP6a) session-setup path of the protocomm component. The first-phase handler (handle_session_command0() in components/protocomm/src/security/security2.c) trusts the length of a client-supplied protobuf field for the SRP6a username and copies it into a buffer whose size is derived from a narrower destination type. The resulting truncation-versus-copy asymmetry corrupts the heap when an oversized value is supplied. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.

Affected

10 ranges
VendorProductVersion rangeFixed in
espressifesp-idf
espressifesp-idf
espressifesp-idf
espressifesp-idf
espressifesp-idf
espressifesp-idf
espressifesp-idf
espressifesp-idf
espressifesp-idf
espressifesp-idf
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.