Description
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload.
References (4)
Core 4
Core References
Product, Third Party Advisory x_refsource_misc
https://github.com/espressif/esp-idf
Product, Third Party Advisory x_refsource_misc
https://github.com/espressif/esp32-bt-lib
Product, Vendor Advisory x_refsource_misc
https://www.espressif.com/en/products/socs/esp32
Technical Description, Third Party Advisory x_refsource_misc
https://dl.packetstormsecurity.net/papers/general/braktooth.pdf
Scores
CVSS v3
8.8
EPSS
0.0156
EPSS Percentile
81.6%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (1)
espressif/esp-idf
< 4.4
Published
Sep 07, 2021
Tracked Since
Feb 18, 2026