CVE-2026-25507
📋 TL;DR
A use-after-free vulnerability in the ESP-IDF BLE provisioning transport layer allows remote attackers to trigger invalid memory access via Bluetooth Low Energy connections. This affects IoT devices using vulnerable ESP-IDF versions while in provisioning mode with keep_ble_on=true configuration. The vulnerability can lead to crashes or potential code execution.
💻 Affected Systems
- Espressif IoT Development Framework (ESP-IDF)
📦 What is this software?
Esp Idf by Espressif
Esp Idf by Espressif
Esp Idf by Espressif
Esp Idf by Espressif
Esp Idf by Espressif
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete device compromise, data theft, or device bricking
Likely Case
Device crash or denial of service, potentially allowing privilege escalation in multi-tenant environments
If Mitigated
Limited to denial of service if memory protections are enabled, but still poses availability risk
🎯 Exploit Status
Exploitation requires BLE access to device in provisioning mode, but no authentication needed once connected
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.3, 5.4.4, 5.3.5, 5.2.7, 5.1.7
Vendor Advisory: https://github.com/espressif/esp-idf/security/advisories
Restart Required: Yes
Instructions:
1. Update ESP-IDF using 'git pull' from official repository. 2. Rebuild firmware with updated SDK. 3. Flash updated firmware to affected devices. 4. Verify BLE provisioning works correctly.
🔧 Temporary Workarounds
Disable keep_ble_on during provisioning stop
allSet keep_ble_on=false when stopping BLE provisioning to avoid the vulnerable code path
esp_ble_mesh_provisioner_prov_enable(false)
Disable BLE provisioning entirely
allRemove or disable BLE provisioning features if not required
# Disable BLE provisioning in sdkconfig: CONFIG_BT_ENABLED=n
🧯 If You Can't Patch
- Disable BLE provisioning mode in production devices
- Implement network segmentation to limit BLE access to trusted devices only
🔍 How to Verify
Check if Vulnerable:
Check ESP-IDF version and verify if BLE provisioning with keep_ble_on=true is configuredCheck Version:
grep -E 'ESP-IDF v(5\.(5\.2|4\.3|3\.4|2\.6|1\.6))' sdkconfig or check build logsVerify Fix Applied:
Verify ESP-IDF version is patched and test BLE provisioning stop with keep_ble_on=true📡 Detection & Monitoring
Log Indicators:
- Memory access violation logs
- BLE provisioning stop events with errors
- Device crashes during BLE operations
Network Indicators:
- Unexpected BLE disconnections during provisioning
- Multiple BLE connection attempts to provisioning services
SIEM Query:
device_logs: "protocomm_ble" AND ("use-after-free" OR "memory violation" OR "segmentation fault")🔗 References
- https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9
- https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7
- https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70
- https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6
- https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf
- https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663
- https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63
- https://github.com/espressif/esp-idf/security/advisories/GHSA-h7r3-gmg9-xjmg
