CVE-2025-65092
MEDIUMEspressif IOT Dev Framework <5.5.1-5.3.4 - Buffer Overflow
Title source: llmDescription
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, and 5.3.4, when the ESP32-P4 uses its hardware JPEG decoder, the software parser lacks necessary validation checks. A specially crafted (malicious) JPEG image could exploit the parsing routine and trigger an out-of-bounds array access. This issue has been fixed in versions 5.5.2, 5.4.4, and 5.3.5. At time of publication versions 5.5.2, 5.4.4, and 5.3.5 have not been released but are fixed respectively in commits 4b8f585, c79cb4d, and 34e2726.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://github.com/espressif/esp-idf/security/advisories/GHSA-vcw6-jc3p-4gj8
Patch x_refsource_misc
https://github.com/espressif/esp-idf/commit/34e2726254201988e6e2752b2db4b70d73964d4c
Patch x_refsource_misc
https://github.com/espressif/esp-idf/commit/4b8f5859dbe05d15372558f8a950b49f6ee44e42
Patch x_refsource_misc
https://github.com/espressif/esp-idf/commit/c38a6691b9845ac6ee0d0f6713783114770cdc17
Scores
CVSS v4
6.9
EPSS
0.0030
EPSS Percentile
21.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-125
CWE-191
Status
published
Products (3)
espressif/esp-idf
= 5.3.4
espressif/esp-idf
= 5.4.3
espressif/esp-idf
= 5.5.1
Published
Nov 21, 2025
Tracked Since
Feb 18, 2026