CVE-2026-25507 Overview
CVE-2026-25507 is a use-after-free vulnerability in the ESP-IDF (Espressif IoT Development Framework) affecting the BLE provisioning transport (protocomm_ble) layer. This memory corruption flaw can be triggered remotely by a BLE client while an ESP32-based device is in provisioning mode, potentially leading to denial of service or memory corruption.
The vulnerability occurs when provisioning is stopped with the keep_ble_on = true configuration option. Under this condition, internal protocomm_ble state and GATT metadata are freed while the BLE stack and GATT services remain active. Subsequent BLE read or write callbacks then dereference the freed memory, allowing a connected or newly connected client to trigger invalid memory access.
Critical Impact
Remote BLE attackers within adjacent network range can exploit this use-after-free condition during device provisioning to cause denial of service or potentially corrupt memory on ESP32-based IoT devices.
Affected Products
- ESP-IDF version 5.5.2
- ESP-IDF version 5.4.3
- ESP-IDF version 5.3.4
- ESP-IDF version 5.2.6
- ESP-IDF version 5.1.6
Discovery Timeline
- 2026-02-04 - CVE-2026-25507 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-25507
Vulnerability Analysis
This use-after-free vulnerability (CWE-416) exists in the protocomm_ble component of ESP-IDF, which handles BLE-based provisioning for ESP32 devices. The flaw stems from improper memory lifecycle management when the provisioning process is terminated.
When an application calls to stop provisioning with keep_ble_on = true, the framework frees the internal state structures and GATT service metadata used by protocomm_ble. However, the underlying BLE stack and registered GATT services remain active and operational. This creates a dangerous condition where the GATT callback functions still reference the freed memory structures.
A remote attacker within BLE range (adjacent network) can exploit this by either maintaining an existing connection or establishing a new connection to the device after provisioning has been stopped. When the attacker issues BLE read or write operations, the GATT callbacks attempt to dereference the freed memory pointers, resulting in invalid memory access.
Root Cause
The root cause is a race condition and improper resource cleanup in the protocomm_ble layer. When keep_ble_on is set to true, the code incorrectly assumes that freeing the internal protocol communication state is safe because the BLE functionality should persist. However, the GATT service callbacks were registered with pointers to the now-freed state structures, creating dangling pointer references.
The proper fix requires either unregistering the GATT callbacks before freeing the state, maintaining the state alive as long as the BLE stack is active, or implementing reference counting to track when memory can safely be freed.
Attack Vector
The attack vector is Adjacent Network, meaning an attacker must be within BLE radio range of the vulnerable device. The attack can be executed without authentication or special privileges, though user interaction is required in the form of the device being in or having recently completed provisioning mode with the vulnerable configuration.
An attacker would follow this exploitation path:
- Identify an ESP32-based IoT device running a vulnerable ESP-IDF version in provisioning mode
- Wait for the device to stop provisioning with keep_ble_on = true, or trigger this condition if possible
- Connect to the device via BLE (either maintaining an existing connection or establishing a new one)
- Issue BLE read or write operations targeting the GATT services
- The GATT callbacks dereference freed memory, causing undefined behavior ranging from crashes to potential memory corruption
Detection Methods for CVE-2026-25507
Indicators of Compromise
- Unexpected device reboots or crashes during or shortly after BLE provisioning operations
- BLE stack errors or memory fault exceptions in device logs
- Unusual BLE connection patterns from unknown MAC addresses during provisioning windows
- Memory corruption signatures in crash dumps referencing protocomm_ble or GATT callback functions
Detection Strategies
- Monitor ESP32 device logs for memory access violations or stack traces involving protocomm_ble components
- Implement BLE connection monitoring to detect suspicious connection attempts during provisioning phases
- Deploy firmware version auditing to identify devices running vulnerable ESP-IDF versions (5.5.2, 5.4.3, 5.3.4, 5.2.6, 5.1.6)
- Use watchdog mechanisms to detect and log unexpected device resets that may indicate exploitation attempts
Monitoring Recommendations
- Enable verbose logging for BLE provisioning operations to capture potential exploitation attempts
- Implement network-level BLE monitoring in environments with critical ESP32-based infrastructure
- Configure alerting for repeated device crashes during provisioning windows
- Maintain an asset inventory of ESP-IDF firmware versions across deployed IoT devices
How to Mitigate CVE-2026-25507
Immediate Actions Required
- Upgrade all ESP-IDF based firmware to patched versions: 5.5.3, 5.4.4, 5.3.5, 5.2.7, or 5.1.7
- If immediate patching is not possible, avoid using keep_ble_on = true configuration when stopping provisioning
- Limit the provisioning window duration to reduce the attack surface
- Restrict physical access to deployment areas during device provisioning phases
Patch Information
Espressif has released patched versions addressing this vulnerability. The fix ensures proper lifecycle management of protocomm_ble state and GATT metadata when provisioning is stopped. Multiple commits have been published to address this issue across different version branches.
For version 5.5.x, upgrade to 5.5.3. For version 5.4.x, upgrade to 5.4.4. For version 5.3.x, upgrade to 5.3.5. For version 5.2.x, upgrade to 5.2.7. For version 5.1.x, upgrade to 5.1.7.
Detailed patch information is available in the GitHub Security Advisory and associated commit updates.
Workarounds
- Set keep_ble_on = false when stopping provisioning to ensure the BLE stack is properly shut down along with the freed state
- Implement application-level controls to disable BLE entirely after provisioning is complete
- Add physical security measures to limit BLE radio access during provisioning windows
- Schedule provisioning operations in controlled environments with limited BLE exposure
# Configuration example - Use secure provisioning configuration
# In your ESP-IDF project's sdkconfig or menuconfig:
# Ensure keep_ble_on is disabled when stopping provisioning
# This prevents the use-after-free condition by shutting down
# the BLE stack when provisioning state is freed
# In application code, when calling protocomm_ble_stop():
# protocomm_ble_stop(pc); // Ensure BLE stack is fully stopped
# Update ESP-IDF to patched version:
# idf.py update-components
# Or manually update via:
# cd $IDF_PATH && git fetch && git checkout v5.5.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
