Out-of-Bounds Memory Access in Espressif IoT Development Framework Due to AVRCP Commands
CVE-2025-66409

2.7LOW

Key Information:

Vendor

Espressif

Status
Esp-idf
Vendor
CVE Published:
2 December 2025

What is CVE-2025-66409?

The Espressif Internet of Things Development Framework is susceptible to a vulnerability when AVRCP is enabled on ESP32 devices. If a malformed VENDOR DEPENDENT command is received from a peer device, the Bluetooth stack could try to access memory without having validated the length of the command buffer. This could lead to out-of-bounds reads, which may expose sensitive memory content or result in erratic system behavior. This issue affects various versions including 5.5.1 and earlier.

Affected Version(s)

esp-idf >= 5.5-beta1, <= 5.5.1 <= 5.5-beta1, 5.5.1

esp-idf >= 5.4-beta1, <= 5.4.3 <= 5.4-beta1, 5.4.3

esp-idf >= 5.3-beta1, <= 5.3.4 <= 5.3-beta1, 5.3.4

References

https://github.com/espressif/esp-idf/security/advisories/...
x_refsource_CONFIRM
https://github.com/espressif/esp-idf/commit/075ed218cadb8...
x_refsource_MISC
https://github.com/espressif/esp-idf/commit/2f788e59ee361...
x_refsource_MISC

CVSS V4

Score:
2.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.