Input Pointer Vulnerabilities in Espressif IoT Development Framework
CVE-2026-45329
7.1HIGH
What is CVE-2026-45329?
The Espressif Internet of Things Development Framework, specifically in versions 5.5.4 and 6.0, has a vulnerability due to insufficient validation of caller-supplied pointer arguments in several ESP-TEE secure-service wrappers. This flaw allows an attacker to supply pointers that can access TEE-exclusive memory areas, which can lead to the exposure of sensitive data. The results derived from these interactions can return raw bytes from TEE memory, offer a computed function of TEE memory over repeated invocations, or provide a single bit per call that can act as an incremental disclosure oracle for sensitive information. This vulnerability has been addressed in the updated versions 5.5.5 and 6.0.1.
Affected Version(s)
esp-idf = 6.0 = 6.0
esp-idf = 5.5.4 = 5.5.4
