Out-of-Bounds Read Vulnerability in Espressif IoT Development Framework's DHCP Server
CVE-2026-45160

6.5MEDIUM

Key Information:

Vendor

Espressif

Status
Vendor
CVE Published:
10 June 2026

What is CVE-2026-45160?

The Espressif Internet of Things Development Framework (ESP-IDF) contains an out-of-bounds read vulnerability in its DHCP server option parser. This issue arises in the versions 5.2.7, 5.3.5, 5.4.4, 5.5.4, and 6.0.1, where the option parser fails to validate the lengths of option bytes correctly. A specially crafted DHCP request can exploit this vulnerability, leading the parser to read beyond the boundaries of the options buffer, potentially accessing adjacent heap memory. This flaw impacts configurations where the device operates as a DHCP server on local networks. The vulnerability has been addressed in subsequent patched versions.

Affected Version(s)

esp-idf = 5.2.7 = 5.2.7

esp-idf = 5.3.5 = 5.3.5

esp-idf = 5.4.4 = 5.4.4

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.