Description
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet.
References (4)
Core 4
Core References
Product, Third Party Advisory x_refsource_misc
https://github.com/espressif/esp-idf
Product, Third Party Advisory x_refsource_misc
https://github.com/espressif/esp32-bt-lib
Product, Vendor Advisory x_refsource_misc
https://www.espressif.com/en/products/socs/esp32
Technical Description, Third Party Advisory x_refsource_misc
https://dl.packetstormsecurity.net/papers/general/braktooth.pdf
Scores
CVSS v3
6.5
EPSS
0.0026
EPSS Percentile
49.2%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-787
Status
published
Products (1)
espressif/esp-idf
< 4.4
Published
Sep 07, 2021
Tracked Since
Feb 18, 2026