CVE-2026-45542 Overview
CVE-2026-45542 is a heap buffer overflow [CWE-122] in the Espressif IoT Development Framework (ESP-IDF) protocomm component. The flaw resides in the Security Scheme 2 (SRP6a) session-setup path used during device provisioning. The first-phase handler handle_session_command0() in components/protocomm/src/security/security2.c trusts the length of a client-supplied protobuf field carrying the SRP6a username. The handler copies this value into a buffer whose size is derived from a narrower destination type, producing a truncation-versus-copy asymmetry that corrupts the heap when oversized input is supplied. Affected releases include ESP-IDF 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0.
Critical Impact
An adjacent-network attacker can corrupt the heap of provisioning-enabled ESP-IDF devices, causing crashes and potential integrity loss during onboarding.
Affected Products
- Espressif ESP-IDF 5.2.6
- Espressif ESP-IDF 5.3.5, 5.4.4, 5.5.4
- Espressif ESP-IDF 6.0
Discovery Timeline
- 2026-06-10 - CVE-2026-45542 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-45542
Vulnerability Analysis
The defect lives in the protocomm provisioning subsystem, which negotiates an SRP6a session between the device and a provisioning client over Wi-Fi, BLE, or HTTP transports. During the first session command, the handler reads the username field from a client-supplied protobuf message. The length is taken from the attacker-controlled wire encoding rather than being clamped against the destination buffer.
Because the destination buffer size is derived from a narrower integer type than the source length, the size computation truncates while the copy proceeds with the full value. The copy then writes past the end of the heap allocation, corrupting adjacent allocator metadata or neighboring objects. On embedded RTOS-class targets, this typically manifests as a crash, watchdog reset, or, in unfavorable allocator states, controlled corruption of nearby heap structures.
Root Cause
The root cause is a classic numeric-truncation-to-buffer-overflow pattern [CWE-122]. The username length, sourced from the protobuf payload, is treated as trusted and copied into a destination whose size was computed using a smaller integer width. The size check and the copy operate on different views of the same value, so a large input bypasses the implicit bound.
Attack Vector
Exploitation requires network adjacency to a device that exposes the protocomm provisioning endpoint with SRP6a (security2) enabled. Authentication is not required because the flaw is reached before SRP6a authentication completes. An attacker submits a SessionCmd0 protobuf with an oversized client_username field to trigger the overflow during session initialization.
// Patch context: components/protocomm/src/security/security1.c
// SPDX-FileCopyrightText: 2018-2026 Espressif Systems (Shanghai) CO LTD
// SPDX-License-Identifier: Apache-2.0
//
// The fix series also adjusts components/mbedtls/port/include/mbedtls/esp_config.h:
// #ifndef CONFIG_IDF_TARGET_LINUX
// #include "soc/soc_caps.h"
// #endif // !CONFIG_IDF_TARGET_LINUX
//
// Source: https://github.com/espressif/esp-idf/commit/0ea58d79845ad674d0358d5de246015a68c4cb4f
// Source: https://github.com/espressif/esp-idf/commit/56c3e385611e63162d0f2f8504ac4ae2ccfccef0
// Source: https://github.com/espressif/esp-idf/commit/71eb2dbe6aaef830719ecac8edf409e2992b64b2
Detection Methods for CVE-2026-45542
Indicators of Compromise
- Unexpected device resets or LoadProhibited, StoreProhibited, or heap-corruption panics in ESP32 logs during provisioning.
- Provisioning SessionCmd0 messages where the client_username length significantly exceeds typical SRP6a username sizes.
- Repeated failed provisioning attempts originating from the same adjacent client over BLE or SoftAP transports.
Detection Strategies
- Inspect protocomm transport logs for malformed protobuf SessionData messages targeting security2 handlers.
- Monitor firmware crash dumps and core files for faults inside handle_session_command0() or nearby heap routines.
- Compare deployed ESP-IDF build versions against the fixed releases listed in GHSA-9r76-858f-v6jh.
Monitoring Recommendations
- Forward device serial or syslog output to a central log store and alert on repeated provisioning failures from a single peer.
- Track Wi-Fi and BLE provisioning sessions per device and flag anomalous session-command volumes.
- Maintain an inventory of deployed ESP-IDF versions and feed it into vulnerability management so vulnerable fleets surface automatically.
How to Mitigate CVE-2026-45542
Immediate Actions Required
- Upgrade firmware to ESP-IDF 5.2.7, 5.3.6, 5.4.5, 5.5.5, or 6.0.1 as appropriate for your release branch.
- Disable or gate the provisioning service after onboarding completes to remove the attack surface in production.
- Restrict provisioning to controlled environments such as a wired bench network or a faraday-shielded staging area.
Patch Information
Espressif has patched the issue in ESP-IDF versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1. The fix series spans the commits 0ea58d7, 56c3e38, 71eb2db, 9b4cacf, a2f4554, and f5d24a7. Full advisory details are available in GHSA-9r76-858f-v6jh.
Workarounds
- If immediate firmware updates are not feasible, switch provisioning to Security Scheme 1 or disable the SRP6a path until devices are patched.
- Limit provisioning windows to short, supervised intervals and tear down the provisioning transport (SoftAP, BLE) after enrollment.
- Reject or rate-limit provisioning peers at the application layer based on MAC address or BLE identity to reduce adjacent-network exposure.
# Configuration example: update the ESP-IDF release used by your build
cd $IDF_PATH
git fetch --tags
git checkout v5.5.5 # or v5.2.7 / v5.3.6 / v5.4.5 / v6.0.1
git submodule update --init --recursive
./install.sh
. ./export.sh
idf.py fullclean && idf.py build flash
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

