CVE-2026-45328

CRITICAL

Espressif ESP-IDF ESP-TEE Secure Services - Out-of-Bounds Write

Title source: manual
STIX 2.1

Description

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, the esp_tee component exposes secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c that bridge calls from the user application (i.e. the REE) to TEE-protected hardware peripherals (AES, SHA, ECC, HMAC, SPI, MMU, WDT) and to the security feature like attestation, OTA updates, secure storage. This issue has been patched in versions 5.5.5 and 6.0.1.

References (7)

Core 7
Core References

Scores

CVSS v3 9.3
EPSS 0.0013
EPSS Percentile 2.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-20 CWE-787
Status published
Products (4)
espressif/esp-idf 5.5.4
espressif/esp-idf 6.0
espressif/esp-idf = 5.5.4
espressif/esp-idf = 6.0
Published Jun 10, 2026
Tracked Since Jun 10, 2026