ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esphttpserver component. While parsing the client-supplied Sec-WebSocket-Protocol request header during the WebSocket handshake, the tokenisation result is dereferenced without a NULL check, so a malformed header value can crash the server before any application-level authentication runs. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45541.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-476"
]
}{
"source": [
"CPE_STRING",
"REFERENCES"
],
"cpe": [
"cpe:2.3:a:espressif:esp-idf:5.2.6:*:*:*:*:*:*:*",
"cpe:2.3:a:espressif:esp-idf:5.3.5:*:*:*:*:*:*:*",
"cpe:2.3:a:espressif:esp-idf:5.4.4:*:*:*:*:*:*:*",
"cpe:2.3:a:espressif:esp-idf:5.5.4:*:*:*:*:*:*:*",
"cpe:2.3:a:espressif:esp-idf:6.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "5.2.6"
},
{
"last_affected": "5.2.6"
},
{
"introduced": "5.3.5"
},
{
"last_affected": "5.3.5"
},
{
"introduced": "5.4.4"
},
{
"last_affected": "5.4.4"
},
{
"introduced": "5.5.4"
},
{
"last_affected": "5.5.4"
},
{
"introduced": "6.0"
},
{
"last_affected": "6.0"
}
]
}