CVE-2026-45160 Overview
CVE-2026-45160 is an out-of-bounds read vulnerability in the DHCP server option parser shipped with the Espressif IoT Development Framework (ESP-IDF) lwIP component. The flaw resides in the parse_options() function in components/lwip/apps/dhcpserver/dhcpserver.c. The parser walks the BOOTP/DHCP options field without validating that each option's length byte and declared payload length stay within the received packet buffer. A crafted DHCP request can cause the parser to read past the end of the options buffer into adjacent heap memory. The issue affects ESP-IDF SoftAP deployments and any configuration where the device runs as a DHCP server on a local network [CWE-125].
Critical Impact
An adjacent network attacker can send a crafted DHCP request to trigger heap memory disclosure or crash the device, disrupting availability of IoT endpoints acting as DHCP servers.
Affected Products
- ESP-IDF version 5.2.7
- ESP-IDF versions 5.3.5, 5.4.4, and 5.5.4
- ESP-IDF version 6.0.1
Discovery Timeline
- 2026-06-10 - CVE-2026-45160 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-45160
Vulnerability Analysis
The vulnerability resides in the DHCP server option parser within ESP-IDF's lwIP component. DHCP options follow a Type-Length-Value (TLV) layout in which a single byte specifies the option code, a second byte specifies the payload length, and the declared number of payload bytes follows. The parse_options() routine iterates through these TLV entries to interpret client-supplied parameters.
The parser does not verify that the length byte and its declared payload remain within the received packet buffer. As a result, a crafted DHCP request with an option length pointing past the end of the buffer causes the parser to read adjacent heap memory. The read can return arbitrary bytes from neighboring allocations or trigger an access fault that crashes the device firmware.
Root Cause
The root cause is missing bounds validation on attacker-controlled length fields during option parsing. The parser trusts the option length declared by the DHCP client and advances its read cursor without checking the remaining buffer size. This pattern matches the classic out-of-bounds read weakness category [CWE-125].
Attack Vector
Exploitation requires adjacent network access. Any client on the same Layer 2 segment as an ESP-IDF device acting as a DHCP server, including a station associated to the device's SoftAP, can deliver a crafted DHCP DISCOVER or REQUEST packet. No authentication and no user interaction are required. The primary impact is denial of service against the IoT endpoint, with secondary potential for heap memory disclosure to adjacent allocations.
No verified exploit code is publicly available. Refer to the Espressif Security Advisory GHSA-g764-gwc3-75m5 for additional technical context.
Detection Methods for CVE-2026-45160
Indicators of Compromise
- Unexpected reboots, watchdog resets, or task panics on ESP-IDF devices operating in SoftAP or DHCP server roles.
- DHCP packets on the local segment containing option length bytes that exceed the remaining UDP payload size.
- Repeated malformed DHCP DISCOVER or REQUEST frames originating from a single client MAC address.
Detection Strategies
- Inspect captured DHCP traffic with a parser that validates TLV option boundaries and flags entries whose declared length extends beyond the packet.
- Correlate ESP-IDF device crash logs and core dumps with concurrent DHCP activity on the affected wireless segment.
- Track firmware versions across the IoT fleet and identify devices still running 5.2.7, 5.3.5, 5.4.4, 5.5.4, or 6.0.1.
Monitoring Recommendations
- Forward device serial logs and crash dumps to a central log store for correlation with network captures.
- Enable wireless intrusion monitoring on segments where ESP-IDF SoftAP devices are deployed.
- Alert on sustained DHCP traffic anomalies, particularly malformed option fields directed at embedded devices.
How to Mitigate CVE-2026-45160
Immediate Actions Required
- Upgrade ESP-IDF to a patched release: 5.2.8, 5.3.6, 5.4.5, 5.5.5, or 6.0.2, then rebuild and reflash affected firmware.
- Inventory devices that run as DHCP servers, including SoftAP-enabled products, and prioritize them for patching.
- Restrict who can associate to ESP-IDF SoftAP networks by enforcing WPA2 or WPA3 with strong pre-shared keys.
Patch Information
Espressif released fixes in ESP-IDF versions 5.2.8, 5.3.6, 5.4.5, 5.5.5, and 6.0.2. The corrective changes are tracked across multiple commits referenced in the advisory, including commit 2bf4dd12, commit 2da2db43, commit 8b4b5d53, commit 9f713dbc, commit d51b1076, and commit fba5f995. See the Espressif Security Advisory GHSA-g764-gwc3-75m5 for the full advisory text.
Workarounds
- Disable the built-in DHCP server when the device does not need to assign addresses, and rely on an upstream DHCP server instead.
- Limit SoftAP exposure by disabling the access point in production builds or gating it behind a physical activation step.
- Segment ESP-IDF devices onto isolated VLANs or wireless networks to reduce the population of adjacent clients that can send DHCP traffic.
# Configuration example: disable the ESP-IDF DHCP server on the SoftAP interface
# Call before esp_netif_init() completes bringing up the AP
esp_netif_t *ap_netif = esp_netif_create_default_wifi_ap();
esp_netif_dhcps_stop(ap_netif);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

