CVE-2026-45542EPSS p24.1%

CVE-2026-45542CVE-2026-45542

espressif / esp-idf

Description

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a heap buffer overflow exists in the Security Scheme 2 (SRP6a) session-setup path of the protocomm component. The first-phase handler (handle_session_command0() in components/protocomm/src/security/security2.c) trusts the length of a client-supplied protobuf field for the SRP6a username and copies it into a buffer whose size is derived from a narrower destination type. The resulting truncation-versus-copy asymmetry corrupts the heap when an oversized value is supplied. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.

Scoring

CVSS 7.1 ()
VectorCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS0.33% probability of exploitation · percentile 24.1% · 2026-06-19T12:03:05Z
Last modified2026-06-11

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-45541
CVE
CVE-2026-45329
CVE
CVE-2026-46532
CVE
CVE-2025-55297
CVE
CVE-2026-25532
CVE
CVE-2026-45328
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.