CVE-2026-45328: ESP-IDF Out-of-bounds Write Vulnerability
| Field | Value |
|---|---|
| CVE ID | CVE-2026-45328 |
| CVSS score | 9.3 |
| Attack vector | Unknown from retrieved NVD data |
| Auth required | Unknown from retrieved NVD data |
| Patch status | Fixed in ESP-IDF 5.5.5 and 6.0.1 |
TL;DR - ESP-IDF
esp_teein versions5.5.4and6.0has an input-validation flaw tied to out-of-bounds write risk. - Users building on affected SDK versions should upgrade to5.5.5or6.0.1. - Exploitation in the wild is not confirmed, but patch details are public and actionable.
Vulnerability at a Glance
CVE-2026-45328 affects Espressif ESP-IDF, specifically the esp_tee component that brokers requests from the Rich Execution Environment (REE) into TEE-protected services and hardware-backed functions. Vulnerable code exists in esp_secure_services.c and esp_secure_services_iram.c, where wrappers expose secure services for peripherals and features such as AES, SHA, ECC, HMAC, SPI, MMU, WDT, attestation, OTA updates, and secure storage.
The practical risk is not just a memory-safety bug in an ordinary library. This sits on a trust boundary between non-secure application-side code and protected services. Input validation failures in this context are serious, as they can undermine assumptions about protected operations, secure storage handling, or OTA integrity paths.
What is This Vulnerability?
The vulnerability is characterized as an improper input validation issue leading to out-of-bounds write risk in ESP-TEE secure-service wrappers. Public patch metadata indicates that the vendor added missing input validation checks for TEE service calls, strengthened failure handling around heap assertions, and fixed a potential OTA write bounds overflow. This issue is mapped to CWE-20, Improper Input Validation, and is classified as an out-of-bounds write in secure-service wrappers.
The patch evidence shows a pattern of replacing weak checks with explicit validation that buffers supplied from the REE are in the expected memory region and sized correctly. This issue appears tied to trust in caller-supplied pointers and lengths crossing the boundary into privileged code.
Who is Affected?
The affected product is Espressif ESP-IDF. The vulnerable versions are specifically "5.5.4" and "6.0", with fixed versions being "5.5.5" and "6.0.1". Defenders should ensure that their firmware, CI pipelines, or vendor SDK bundles do not pin to these versions. If you ship devices built with ESP-IDF 5.5.4 or 6.0, treat those images as requiring rebuild and redeployment.
CVSS Score and What It Means Operationally
The published CVSS score is 9.3, which places this issue in a critical-to-high operational tier. This vulnerability is in a wrapper layer that mediates access to security-sensitive functions and protected hardware resources. Bugs in this layer can have broader implications than ordinary application crashes.
Exploitation Status
As of the latest information, CISA KEV status is false, meaning CVE-2026-45328 is not listed in the Known Exploited Vulnerabilities catalog. Exploitation is not confirmed in the wild based on current KEV data. Although a distinct public PoC repository was not confirmed, the vulnerability is amenable to analysis due to the patch revealing where validation was added.
Technical Deep Dive
The patch adds missing input validation checks for TEE service calls, verifying whether buffers and pointers provided by the REE reside in valid memory ranges. The OTA fix also shows how the vulnerable condition could bypass a size boundary check.
Technical Notes
Representative code pattern from the patch rationale:
// safer form
if (size > ota_handle.tee_next.pos.size ||
rel_offset > ota_handle.tee_next.pos.size - size) {
return ESP_ERR_INVALID_SIZE;
}
Bottom Line for Practitioners
If you run or ship firmware built on ESP-IDF 5.5.4 or 6.0, you should plan remediation now. The vulnerability affects a sensitive trust boundary and has public patch material that makes reverse engineering of the flaw more feasible.
The most defensible action is to inventory affected builds, upgrade to 5.5.5 or 6.0.1, rebuild firmware, and prioritize validation of TEE-related functions and OTA flows.
For more information on related topics, you can explore our articles on Malware and Third Party Risk Management.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Detection and Exposure Assessment
Detection begins with reviewing software bill of materials, build metadata, and source control. Identify repositories, container images, build scripts, or release manifests that reference esp-idf versions 5.5.4 or 6.0. Check for abnormal input conditions that may log assertion failures or OTA write errors.
Technical Notes
A practical first pass is to identify affected versions in source trees and build environments:
# Find esp-idf version references in common repo files
grep -RInE 'ESP-IDF v?(5\.5\.4|6\.0)\b|esp-idf.*(5\.5\.4|6\.0)\b' .
Mitigation and Patching
The primary mitigation is to upgrade from affected ESP-IDF versions "5.5.4" and "6.0" to fixed versions "5.5.5" and "6.0.1". If you control the firmware build chain, rebuild images against the fixed SDK and validate any components that interact with TEE-backed cryptography or OTA services.
If immediate upgrade is not possible, reduce exposure to code paths that pass untrusted inputs into TEE-backed secure services.
Technical Notes
Example upgrade workflows depend on how ESP-IDF is consumed. For a Git checkout pinned to a tag:
# Using an existing ESP-IDF checkout
cd $IDF_PATH
git fetch --tags
git checkout v5.5.5 # or v6.0.1
References
Primary references include the NVD entry, Espressif vulnerability documentation, and the GitHub advisory linked to the issue. These are the best starting points for confirming affected versions and reviewing fix provenance.
- NVD: CVE-2026-45328
- Espressif vulnerability documentation: Espressif Security
- GitHub advisory: GitHub Advisory