Use-After-Free Vulnerability in Espressif IoT Development Framework
CVE-2026-25507

6.3MEDIUM

Key Information:

Vendor

Espressif

Status
Esp-idf
Vendor
CVE Published:
4 February 2026

What is CVE-2026-25507?

A vulnerability has been identified in the Espressif Internet of Things Development Framework, specifically within the BLE provisioning transport layer. When devices are in provisioning mode, a misuse of memory management arises if provisioning is interrupted while keep_ble_on is set to true. This configuration leads to the improper freeing of internal states and GATT metadata, while the BLE stack and GATT services continue to operate. As a result, subsequent BLE operations may interact with inaccessible memory, potentially causing system instability or exposing sensitive data. The affected versions have been updated to address this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

esp-idf = 5.5.2 = 5.5.2

esp-idf = 5.4.3 = 5.4.3

esp-idf = 5.3.4 = 5.3.4

References

https://github.com/espressif/esp-idf/security/advisories/...
x_refsource_CONFIRM
https://github.com/espressif/esp-idf/commit/0540c85140c2c...
x_refsource_MISC
https://github.com/espressif/esp-idf/commit/1ff264abf2504...
x_refsource_MISC

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.