Input Pointer Vulnerabilities in Espressif IoT Development Framework
CVE-2026-45329

7.1HIGH

Key Information:

Vendor

Espressif

Status
Vendor
CVE Published:
10 June 2026

What is CVE-2026-45329?

The Espressif Internet of Things Development Framework, specifically in versions 5.5.4 and 6.0, has a vulnerability due to insufficient validation of caller-supplied pointer arguments in several ESP-TEE secure-service wrappers. This flaw allows an attacker to supply pointers that can access TEE-exclusive memory areas, which can lead to the exposure of sensitive data. The results derived from these interactions can return raw bytes from TEE memory, offer a computed function of TEE memory over repeated invocations, or provide a single bit per call that can act as an incremental disclosure oracle for sensitive information. This vulnerability has been addressed in the updated versions 5.5.5 and 6.0.1.

Affected Version(s)

esp-idf = 6.0 = 6.0

esp-idf = 5.5.4 = 5.5.4

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.