Integer Underflow Vulnerability in ESP-NOW Protocol of Espressif's IOT Development Framework
CVE-2025-52471

7.2HIGH

Key Information:

Vendor

Espressif

Status
Esp-idf
Vendor
CVE Published:
24 June 2025

What is CVE-2025-52471?

An integer underflow vulnerability exists in the ESP-NOW protocol implementation of the ESP-IDF framework. This flaw is caused by inadequate validation of user-supplied data length during packet reception. If exploited, it may result in out-of-bounds memory access, potentially allowing for arbitrary memory writes. In scenarios where systems lack memory protection, this vulnerability could enable remote code execution. To address this issue, updates have been introduced in newer versions of ESP-IDF that incorporate stronger validation mechanisms. Users are strongly encouraged to upgrade to the latest versions or apply the necessary workarounds to reinforce their system's security.

Affected Version(s)

esp-idf = 5.4.1 = 5.4.1

esp-idf = 5.3.3 = 5.3.3

esp-idf = 5.2.5 = 5.2.5

References

https://github.com/espressif/esp-idf/security/advisories/...
x_refsource_CONFIRM
https://github.com/espressif/esp-idf/commit/b1a379d57430d...
x_refsource_MISC
https://github.com/espressif/esp-idf/commit/c5fc81917805f...
x_refsource_MISC

CVSS V4

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-52471 : Integer Underflow Vulnerability in ESP-NOW Protocol of Espressif's IOT Development Framework