CVE-2025-68474

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-68474
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68474.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-68474
Aliases
  • GHSA-43gh-7r4f-qp57
Published
2025-12-26T23:57:54.853Z
Modified
2026-03-01T02:55:43.391167Z
Severity
  • 6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L CVSS Calculator
Summary
ESF-IDF Has Out-of-Bounds Write in ESP32 Bluetooth AVRCP Vendor Command Handling
Details

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the avrcvendormsg() function of the ESP-IDF BlueDroid AVRCP stack, the allocated buffer size was validated using AVRCMINCMDLEN (20 bytes). However, the actual fixed header data written before the vendor payload exceeds this value. This totals 29 bytes written before pmsg->pvendordata is copied. Using the old AVRCMINCMDLEN could allow an out-of-bounds write if vendorlen approaches the buffer limit. For commands where vendor_len is large, the original buffer allocation may be insufficient, causing writes beyond the allocated memory. This can lead to memory corruption, crashes, or other undefined behavior. The overflow could be larger when assertions are disabled.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68474.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-787"
    ]
}
References

Affected packages

Git / github.com/espressif/esp-idf

Affected ranges

Type
GIT
Repo
https://github.com/espressif/esp-idf
Events
Introduced
19b0d6c13cc6c558eb77d714fe239db05fbed44e
Last affected
fcae32885b0296b32044cb99ecbdc50d98dddb83
Database specific 
{
    "versions": [
        {
            "introduced": "5.5-beta1"
        },
        {
            "last_affected": "5.5.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/espressif/esp-idf
Events
Introduced
64b9d85a766f182c571fd1f515ce127dfcdc9a46
Last affected
ea1c174c1cbb7348bd8ba0ff1eb306246938dd80
Database specific 
{
    "versions": [
        {
            "introduced": "5.4-beta1"
        },
        {
            "last_affected": "5.4.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/espressif/esp-idf
Events
Introduced
ea010f84ef878dda07146244e166930738c1c103
Last affected
1b459d9c4950395dec12ce19256c73f9a41e306f
Database specific 
{
    "versions": [
        {
            "introduced": "5.3-beta1"
        },
        {
            "last_affected": "5.3.4"
        }
    ]
}
Type
GIT
Repo
https://github.com/espressif/esp-idf
Events
Introduced
57bbfd423a1e9533d371a5e0e1e6bcec25bae6fc
Last affected
9ef24e3e2a2c96e720d83c574a3f8699177573da
Database specific 
{
    "versions": [
        {
            "introduced": "5.2-beta1"
        },
        {
            "last_affected": "5.2.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/espressif/esp-idf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
7452b1cb1d22cd1b439a6a922548efacea98ee72
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.1.6"
        }
    ]
}

Affected versions

v0.*
v0.9
v1.*
v1.0
v2.*
v2.0-rc1
v2.1-rc1
v3.*
v3.0-dev
v3.1-beta1
v3.1-dev
v3.2-beta1
v3.2-dev
v3.3-beta1
v3.3-beta2
v3.3-dev
v4.*
v4.0-dev
v4.1-dev
v4.2-dev
v4.3-beta1
v4.3-dev
v4.4-dev
v5.*
v5.0-beta1
v5.0-dev
v5.1
v5.1-beta1
v5.1-dev
v5.1-rc1
v5.1-rc2
v5.1.1
v5.1.2
v5.1.3
v5.1.4
v5.1.5
v5.1.6
v5.2
v5.2-beta1
v5.2-beta2
v5.2-rc1
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.2.6
v5.3
v5.3-beta1
v5.3-beta2
v5.3-rc1
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.4
v5.4-beta1
v5.4-beta2
v5.4-rc1
v5.4.1
v5.4.2
v5.4.3
v5.5
v5.5-beta1
v5.5.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68474.json"