CVE-2025-64342

MEDIUM

ESP32 <5.5.2-5.4.3-5.3 - DoS

Title source: llm

Description

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. When the ESP32 is in advertising mode, if it receives a connection request containing an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, advertising may stop unexpectedly. In this case, the controller may incorrectly report a connection event to the host, which can cause the application layer to assume that the device has successfully established a connection. This issue has been fixed in versions 5.5.2, 5.4.3, 5.3.5, 5.2.6, and 5.1.7. At time of publication versions 5.5.2, 5.3.5, and 5.1.7 have not been released but are fixed respectively in commits 3b95b50, e3d7042, and 75967b5.

References (7)

[Vendor Advisory] https://github.com/espressif/esp-idf/security/advisories/GHSA-8mg7-9qpg-p92v

[Patch] https://github.com/espressif/esp-idf/commit/309f031dd6b04de30c926a256508c65b0df95dfa

[Patch] https://github.com/espressif/esp-idf/commit/3b95b50703cd3301a370cffaa1cc299b1941fe2a

[Patch] https://github.com/espressif/esp-idf/commit/75967b578563ea7876dc215251cbb6d64bc9d768

[Patch] https://github.com/espressif/esp-idf/commit/8ec541023684d33b498fa21c5b4724bce748aa7b

[Patch] https://github.com/espressif/esp-idf/commit/bf66761962579f73aea682d1154b9c99b9d3d7dc

[Patch] https://github.com/espressif/esp-idf/commit/e3d70429566ece1ef593d36aa4ebd320e0c95925

View Patch ZIP pw:eip

Scores

CVSS v4 6.9

EPSS 0.0008

EPSS Percentile 24.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-754

Status published

Products (5)

espressif/esp-idf < 5.1.7

espressif/esp-idf >= 5.2-beta1, < 5.2.6

espressif/esp-idf >= 5.3-beta1, < 5.3.5

espressif/esp-idf >= 5.4-beta1, < 5.4.3

espressif/esp-idf >= 5.5-beta1, < 5.5.2

Published Nov 17, 2025

Tracked Since Feb 18, 2026