Connection Issues in Espressif IoT Development Framework for ESP32
CVE-2025-64342

6.9MEDIUM

Key Information:

Vendor

Espressif

Status
Esp-idf
Vendor
CVE Published:
17 November 2025

What is CVE-2025-64342?

An issue exists in the Espressif Internet of Things Development Framework (ESF-IDF) affecting the ESP32 when operating in advertising mode. The vulnerability arises when the ESP32 receives a connection request with an invalid Access Address, specifically 0x00000000 or 0xFFFFFFFF. This can lead to an unexpected halt in advertising, causing the controller to inaccurately report a connection event to the host. As a result, applications may mistakenly believe that a successful device connection has been established, potentially leading to further operational complications. The flaw has been addressed in subsequent software releases ranging from version 5.1.7 to 5.5.2.

Affected Version(s)

esp-idf >= 5.5-beta1, < 5.5.2 < 5.5-beta1, 5.5.2

esp-idf >= 5.4-beta1, < 5.4.3 < 5.4-beta1, 5.4.3

esp-idf >= 5.3-beta1, < 5.3.5 < 5.3-beta1, 5.3.5

References

https://github.com/espressif/esp-idf/security/advisories/...
x_refsource_CONFIRM
https://github.com/espressif/esp-idf/commit/309f031dd6b04...
x_refsource_MISC
https://github.com/espressif/esp-idf/commit/3b95b50703cd3...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64342 : Connection Issues in Espressif IoT Development Framework for ESP32