CVE-2026-25507
- Source
- https://cve.org/CVERecord?id=CVE-2026-25507
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25507.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25507
- Aliases
-
- GHSA-h7r3-gmg9-xjmg
- Published
- 2026-02-04T17:58:18.605Z
- Modified
- 2026-03-01T02:57:35.799885Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H CVSS Calculator
- Summary
- ESF-IDF Has Use-after-free Vulnerability in BLE Provisioning
- Details
-
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocommble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keepbleon = true. In this configuration, internal protocommble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-416" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25507.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25507.json
- https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9
- https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7
- https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70
- https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6
- https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf
- https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663
- https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63
- https://github.com/espressif/esp-idf/security/advisories/GHSA-h7r3-gmg9-xjmg
- https://nvd.nist.gov/vuln/detail/CVE-2026-25507
Affected packages
Git / github.com/espressif/esp-idf
Affected ranges
- Type
- GIT
- Repo
- https://github.com/espressif/esp-idf
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.9
v1.*
v1.0
v2.*
v2.0-rc1
v2.1-rc1
v3.*
v3.0-dev
v3.1-beta1
v3.1-dev
v3.2-beta1
v3.2-dev
v3.3-beta1
v3.3-beta2
v3.3-dev
v4.*
v4.0-dev
v4.1-dev
v4.2-dev
v4.3-beta1
v4.3-dev
v4.4-dev
v5.*
v5.0-beta1
v5.0-dev
v5.1-dev
v5.2-dev
v5.3
v5.3-beta1
v5.3-beta2
v5.3-dev
v5.3-rc1
v5.3.1
v5.3.2
v5.3.3
v5.3.4
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-0bec9530",
"target": {
"file": "components/protocomm/src/transports/protocomm_nimble.c",
"function": "transport_simple_ble_connect"
},
"digest": {
"length": 1044.0,
"function_hash": "265092944354878825703380833765338138336"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2026-25507-120a7d65",
"target": {
"file": "components/protocomm/src/simple_ble/simple_ble.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"315096193931674132959326456275400050276",
"251510484522902961588729127448224250934",
"83172832641155593798515671104347638858",
"161839469816953246151106074888481895376"
]
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-1711d50c",
"target": {
"file": "components/protocomm/src/transports/protocomm_nimble.c",
"function": "uuid128_to_handler"
},
"digest": {
"length": 499.0,
"function_hash": "185066475565834699703649049016163648732"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2026-25507-1d66f76a",
"target": {
"file": "components/protocomm/src/simple_ble/simple_ble.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"21378149387348444712870074521680112632",
"152625781465593429671681918063545965789",
"236000702885165517364605329453060666273",
"133065752810075120727216215306936757451",
"89378130330309579133929290092892803597",
"27408393792113586493953809787867927713"
]
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-268b5008",
"target": {
"file": "components/protocomm/src/transports/protocomm_ble.c",
"function": "transport_simple_ble_write"
},
"digest": {
"length": 1272.0,
"function_hash": "66030955795817474467566410532838072500"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-2e6b9f6b",
"target": {
"file": "components/protocomm/src/transports/protocomm_nimble.c",
"function": "transport_simple_ble_disconnect"
},
"digest": {
"length": 1165.0,
"function_hash": "252852174837927050436042974481345170084"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-2e89d673",
"target": {
"file": "components/protocomm/src/transports/protocomm_nimble.c",
"function": "protocomm_ble_stop"
},
"digest": {
"length": 913.0,
"function_hash": "175949270531941533956132385938030403612"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-3682ae24",
"target": {
"file": "components/protocomm/src/transports/protocomm_ble.c",
"function": "transport_simple_ble_disconnect"
},
"digest": {
"length": 1090.0,
"function_hash": "137977890203657838024463867444851577239"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-47121ee0",
"target": {
"file": "components/protocomm/src/transports/protocomm_ble.c",
"function": "prepare_write_event_env"
},
"digest": {
"length": 2038.0,
"function_hash": "246071474191416490191291873685275861098"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-6817c123",
"target": {
"file": "components/protocomm/src/transports/protocomm_nimble.c",
"function": "protocomm_ble_start"
},
"digest": {
"length": 3898.0,
"function_hash": "273680270337647292687517351220293930857"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-6872ee69",
"target": {
"file": "components/protocomm/src/transports/protocomm_ble.c",
"function": "handle_to_handler"
},
"digest": {
"length": 369.0,
"function_hash": "159964077914903168610949221589574897068"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-7c39772d",
"target": {
"file": "components/protocomm/src/transports/protocomm_nimble.c",
"function": "gatt_svr_dsc_access"
},
"digest": {
"length": 373.0,
"function_hash": "45462595951379773585941786623287409556"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2026-25507-8b681fa3",
"target": {
"file": "components/protocomm/src/transports/protocomm_nimble.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"14995544720486937275774499710030464432",
"281156845558696565371763276525268589323",
"126641375047763858361145910998321931866",
"62473897938282535547686015161346783899",
"156100672753514161061016751509569238140",
"236869822182097671947913059453617233632",
"141995168454696275635339528129016599677",
"254214841877067184331616076879465676280",
"157758147912296961435444943278374260824",
"38984603111101267351480134305415949000",
"322382760380431200178322535805649536959",
"315903252159372237838500514873033508191",
"32720033850564844600880951053237579536",
"279273384036628430423100607185785054039",
"190903419842105574475501500775698464944",
"142717586158111270503823819061807603173",
"144189770428534875302669861187602610976",
"93194311289380118336124934858187992031",
"302017215365287451989701613141899619770",
"225898782230722386791742901136852980513",
"230693998704787385367614072333989838005",
"80166315916574719093926685697368683660",
"122269716863542909393186175246101033396",
"230693998704787385367614072333989838005",
"103485723289278307706768719667829574538",
"301884057955978051794073525212486723132",
"92598134377928132239649360454323652087",
"39699313502254205028906459162406368675",
"13397558939649396386474486187805786758",
"41866232512888504942304128357938133406",
"317244194327752182728097878254186733083",
"26978584633754160777577560689935499190",
"290564003126783802964863135460022012477",
"17376449365540832315957925428087940526",
"307807303052934585450808173196331905295",
"172649782484658335594624641698144433658",
"29174696824622897686174599313683294026",
"60348303524838200837806915240836162976",
"205130950075328670660949362543217903963",
"306998882643252163661099685640581103127",
"325525173887703431291165741884775863797",
"256680665047900213289469041958523339653",
"246798283590726802912001083736206760991",
"50520197031508710948810545887463528096",
"231272143041137437160707085319672213152",
"23288644252381244891680926030942712387",
"314540119803240203625407961711609831781",
"285933844330886021754075661293939809104",
"235336850875718822200596618404899875078",
"205308063672049669863790528369528626174",
"259142076475321563649603459477676133333",
"275543465635192408518476595658462265385",
"324639382510266819127169904810907270598",
"220189664991189490637630175853138998731",
"42749813068584468022765656708074434424",
"297464230861028806264540141843722149732",
"100141813110512949510394868585705141646",
"24235370764360687857257125087792762465",
"139864388247591628080775434177188534175"
]
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-8bc8ea55",
"target": {
"file": "components/protocomm/src/transports/protocomm_ble.c",
"function": "transport_simple_ble_set_mtu"
},
"digest": {
"length": 133.0,
"function_hash": "52800084617639390724813296554893868485"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-8cb29fb0",
"target": {
"file": "components/protocomm/src/transports/protocomm_nimble.c",
"function": "transport_simple_ble_set_mtu"
},
"digest": {
"length": 123.0,
"function_hash": "29663101477782023129658245969149268064"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-9013134f",
"target": {
"file": "components/protocomm/src/transports/protocomm_ble.c",
"function": "protocomm_ble_cleanup"
},
"digest": {
"length": 691.0,
"function_hash": "325787697391706651632886409764734061468"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2026-25507-96fdd0dd",
"target": {
"file": "components/protocomm/src/transports/protocomm_ble.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"257710264239704648227060232753346472612",
"329764188385261334565992717220351168316",
"120170865655081233682433304943533894427",
"32393058709236010179031793725661346622",
"21370391142885345095148611871644375611",
"97825778069687380037534977532010009802",
"246508871972459452726291885168072807557",
"281006511243982490344942443086886345087",
"244807548812852247264822494116682379642",
"58633829289552352613329210069842326384",
"261743385782775486851058475146143128234",
"260336413357353524056592476100375830586",
"6403994011351223087011048287023730918",
"177912674532721776956925475705211198728",
"318701918645424790588459160778805306676",
"101282999868686696806129532337943833204",
"285323255698958326450143928637599192282",
"260849133137630298758053022077191640656",
"259283405024063495438217518167157745266",
"211171762541864366821440965914535360712",
"221639113771852350065397501325224551592",
"116965301512959357285961195660163724577",
"328557855233430996665040222619231622341",
"300562617480593172536952913037424856968",
"164798815645570053988166372618537775337",
"258272738451812475861075652189910684284",
"48771159233669945975554797462733047346",
"40904896292973127358064133725647846",
"230693998704787385367614072333989838005",
"80166315916574719093926685697368683660",
"132245061728982872117091873350343975631",
"256569740479023789542707559100443732236",
"310782953103250125739886682930339281661",
"133763774347138115511292481038125693521",
"40904896292973127358064133725647846",
"230693998704787385367614072333989838005",
"103485723289278307706768719667829574538",
"87833027963148101384350870641982731386",
"133360392153856581929072633477251683360",
"170002391055020272968536153207288763445",
"186349025901675348896286860913784273159",
"338407048549300573683197613038948592792",
"241401798012532152388774189880585612580",
"190739601565344670200017528739349133085",
"121054594478200758090319324772495912393",
"24032427381127620851219797410527550641",
"1607587221917510676949498437119421598",
"251228176731292428129831321819074086122",
"104414682028185540061533032255749974548",
"61317576666999109176700232866034832349",
"252108714120504479691760312162722685385",
"45182758668270968110375149399302495827",
"29174696824622897686174599313683294026",
"296527540201909041392749463929930676993",
"165285451311214586206799876272560986142",
"165137778531504994716004771240476085421",
"301702447840036816887543860635180887757",
"79951578423774237636867445848485060455",
"271952480959408333370951241425238275695",
"208276206156888990735625202316702798628",
"284787200966007752833796429188004748861",
"197162619818149378243036155725851501758",
"164809818845664916219060741039574873025",
"48208582180861149522199007990478004153",
"85963354425167730939075044251024139352",
"247167436728612792580530030972844083652",
"53800392318657248124442643839055904693",
"183703022832257531494003559932363281481",
"120159778013182085180317695603820128453",
"25308624880274732059097199507510744640",
"298603250738959558840975376529198660865",
"24235370764360687857257125087792762465",
"139864388247591628080775434177188534175"
]
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-9c720e45",
"target": {
"file": "components/protocomm/src/transports/protocomm_nimble.c",
"function": "gatt_svr_chr_access"
},
"digest": {
"length": 2248.0,
"function_hash": "97570995413996262338588027328006426387"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-a8f14917",
"target": {
"file": "components/protocomm/src/transports/protocomm_ble.c",
"function": "transport_simple_ble_connect"
},
"digest": {
"length": 990.0,
"function_hash": "259771385175438895452569171096745912782"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-bb4f601e",
"target": {
"file": "components/protocomm/src/transports/protocomm_ble.c",
"function": "protocomm_ble_start"
},
"digest": {
"length": 3804.0,
"function_hash": "329306190190962484664580386318247843807"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2026-25507-c135a4a4",
"target": {
"file": "components/protocomm/include/transports/protocomm_ble.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"37132769335001316011630232488543223298",
"141995168454696275635339528129016599677",
"330138740435034522905652976341116148202",
"159614267102962228647958864165286888042"
]
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-cd7e621b",
"target": {
"file": "components/protocomm/src/transports/protocomm_ble.c",
"function": "transport_simple_ble_exec_write"
},
"digest": {
"length": 1193.0,
"function_hash": "302502728169829495849238234762842032783"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-df1e5b6e",
"target": {
"file": "components/protocomm/src/transports/protocomm_ble.c",
"function": "protocomm_ble_stop"
},
"digest": {
"length": 650.0,
"function_hash": "284936264160764206896614385607726257107"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-25507-efc746e1",
"target": {
"file": "components/protocomm/src/transports/protocomm_ble.c",
"function": "transport_simple_ble_read"
},
"digest": {
"length": 1305.0,
"function_hash": "63200799082803172625061943333402630734"
},
"signature_version": "v1",
"source": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25507.json"