CVE-2025-68474

Name of the Vulnerable Software and Affected Versions ESF-IDF versions 5.5.1 through 5.1.6

Description ESF-IDF, the Espressif Internet of Things (IOT) Development Framework, contains a flaw in the avrc vendor msg() function within the BlueDroid AVRCP stack. The function validates the allocated buffer size using AVRC MIN CMD LEN (20 bytes), but the fixed header data written before the vendor payload exceeds this value, totaling 29 bytes before p msg->p vendor data is copied. This discrepancy can lead to an out-of-bounds write when vendor len approaches the buffer limit, potentially causing memory corruption, crashes, or undefined behavior. The overflow may be larger when assertions are disabled.

Recommendations Versions 5.1.6 and earlier: Update to a version later than 5.1.6. Versions 5.5.1, 5.4.3, 5.3.4, and 5.2.6: Update to a version later than 5.5.1, 5.4.3, 5.3.4, and 5.2.6 respectively. As a temporary workaround, consider disabling the AVRCP stack or restricting the use of the avrc vendor msg() function until a patch is available.