ESF-IDF: Heap Out-of-Bounds Read in Bluedroid AVRCP Target Parser
CVE-2026-46532

4.6MEDIUM

Key Information:

Vendor: Espressif
Status: Esp-idf
Vendor: CVE Published:; 10 June 2026

🔔 Create Espressif Vulnerability Alert

What is CVE-2026-46532?

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.3, and 6.0, an out-of-bounds read exists in the BlueDroid AVRCP vendor-command parser (avrc_pars_vendor_cmd() in components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c). This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.4, and 6.0.1.

Affected Version(s)

esp-idf = 5.2.6 = 5.2.6

esp-idf = 5.3.5 = 5.3.5

esp-idf = 5.4.4 = 5.4.4

References

https://github.com/espressif/esp-idf/security/advisories/...

x_refsource_CONFIRM

https://github.com/espressif/esp-idf/commit/56053c4d1f379...

x_refsource_MISC

https://github.com/espressif/esp-idf/commit/60f9362f83a05...

x_refsource_MISC

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-46532 Data

.