CVE-2026-25508

Name of the Vulnerable Software and Affected Versions Espressif Internet of Things (IOT) Development Framework versions 5.1.6 through 5.5.2

Description The Espressif Internet of Things (IOT) Development Framework (ESF-IDF) contains a flaw in the BLE ATT Prepare Write handling within the BLE provisioning transport (protocomm ble). A remote BLE client can trigger this issue while the device is in provisioning mode. The system incorrectly tracks the cumulative length of prepared-write fragments, leading to an out-of-bounds read and potential memory corruption when a client sends repeated prepare write requests with overlapping offsets. The transport accumulates these fragments in a fixed-size buffer, and the inflated length is passed to provisioning handlers during execute-write processing.

Recommendations Update to version 5.5.3 Update to version 5.4.4 Update to version 5.3.5 Update to version 5.2.7 Update to version 5.1.7