ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocommble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keepbleon = true. In this configuration, internal protocommble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-416"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25507.json"
}{
"source": [
"CPE_STRING",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "5.1.6"
},
{
"last_affected": "5.1.6"
},
{
"introduced": "5.2.6"
},
{
"last_affected": "5.2.6"
},
{
"introduced": "5.3.4"
},
{
"last_affected": "5.3.4"
},
{
"introduced": "5.4.3"
},
{
"last_affected": "5.4.3"
},
{
"introduced": "5.5.2"
},
{
"last_affected": "5.5.2"
}
],
"cpe": [
"cpe:2.3:a:espressif:esp-idf:5.1.6:*:*:*:*:*:*:*",
"cpe:2.3:a:espressif:esp-idf:5.2.6:*:*:*:*:*:*:*",
"cpe:2.3:a:espressif:esp-idf:5.3.4:*:*:*:*:*:*:*",
"cpe:2.3:a:espressif:esp-idf:5.4.3:*:*:*:*:*:*:*",
"cpe:2.3:a:espressif:esp-idf:5.5.2:*:*:*:*:*:*:*"
]
}