ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. Versions 6.0.1, 5.5.4, 5.4.4, 5.3.5, and possibly prior contain an out-of-bounds write in jpegparsedqtmarker() in components/espdriverjpeg/jpegparsemarker.c because the attacker-controlled DQT marker Tq nibble is used as an index into the qttbl array without validating that it is in the range 0..3, allowing malformed JPEG input to corrupt stack memory and reliably trigger a denial of service. This issue is fixed in version 6.0.2 and is expected to be fixed in versions 5.5.5, 5.4.5, and 5.3.6.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55687.json",
"cwe_ids": [
"CWE-121",
"CWE-787"
],
"cna_assigner": "GitHub_M"
}{
"extracted_events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.2"
},
{
"introduced": "5.5.0"
},
{
"last_affected": "5.5.4"
},
{
"introduced": "5.4.0"
},
{
"last_affected": "5.4.4"
},
{
"introduced": "0"
},
{
"last_affected": "5.3.5"
}
],
"source": [
"AFFECTED_FIELD",
"REFERENCES"
]
}