Vulnerabilities
This page briefly lists all of the vulnerabilities that are discovered and fixed in each release. Please note that for the on-going issues or the issues under embargo period, the information on this page may reflect once the desired resolution has been achieved.
Note
Please refer to latest
version of this documentation guide for up-to-date information.
CVE-2024
CVE-2024-30949
RISC-V gettimeofday system call vulnerability in Newlib's
Impact: ESP-IDF does not use system call implementations from Newlib
Resolution: NA
CVE-2024-28183
Bootloader TOCTOU Vulnerability in Anti-rollback Scheme
Espressif Advisory: NA (Published on GitHub)
Impact: Applicable for ESP-IDF
Resolution: Please see advisory for details
Advisory pointer: GHSA-22x6-3756-pfp8
CVE-2023
CVE-2023-35818
Security Advisory Concerning Bypassing Secure Boot and Flash Encryption Using EMFI
Espressif Advisory: AR2023-005
Impact: Applicable for ESP32 Chip Revision v3.0/v3.1
Resolution: Please see advisory for details
CVE-2023-24023
Security Advisory Concerning the Bluetooth BLUFFS Vulnerability
Espressif Advisory: AR2023-010
Impact: Applicable for ESP-IDF
Resolution: Please see advisory for details
CVE-2023-52160
Security Advisory for PEAP Phase-2 Authentication
Espressif Advisory: AR2024-003
Impact: Applicable for ESP-IDF
Resolution: Please see advisory for details
CVE-2022
CVE-2022-24893
Espressif Bluetooth Mesh Stack Vulnerability
Espressif Advisory: NA (Published on GitHub)
Impact: Applicable for ESP-IDF
Resolution: Please see advisory for details
Advisory pointer: GHSA-7f7f-jj2q-28wm
CVE-2021
CVE-2021-32020
Insufficient bounds checking during management of heap memory in FreeRTOS
Impact: ESP-IDF uses its own heap allocator and hence not applicable
Resolution: NA
CVE-2021-43997
Privilege escalation issue in FreeRTOS ARMv7-M and ARMv8-M MPU ports
Impact: Not applicable for Espressif chips
Resolution: NA
CVE-2021-3420
Security Advisory on "BadAlloc" Vulnerabilities
Espressif Advisory: AR2021-005
Impact: Not applicable for ESP-IDF
Resolution: NA
CVE-2021-31571
Security Advisory on "BadAlloc" Vulnerabilities
Espressif Advisory: AR2021-005
Impact: Applicable for ESP-IDF
Resolution: Please see advisory for details
CVE-2021-31572
Security Advisory on "BadAlloc" Vulnerabilities
Espressif Advisory: AR2021-005
Impact: Applicable for ESP-IDF
Resolution: Please see advisory for details
CVE-2021-28139
Security Advisory for Bluetooth Vulnerability
Covers additional CVEs: CVE-2020-10135, CVE-2020-13595, CVE-2020-26555, CVE-2020-26556, CVE-2020-26557, CVE-2020-26558, CVE-2020-26559, CVE-2020-26560, CVE-2021-28135, CVE-2021-28136
Espressif Advisory: AR2021-004
Impact: Applicable for ESP-IDF
Resolution: Please see advisory for details
CVE-2020
CVE-2020-22283
Buffer overflow vulnerability in lwIP stack
Espressif Advisory: NA
Impact: Applicable for ESP-IDF
Resolution: Fix cherry-picked and available in ESP-IDF >= v4.4.1
CVE-2020-22284
Buffer overflow vulnerability in lwIP stack
Espressif Advisory: NA
Impact: Applicable for ESP-IDF
Resolution: Fix cherry-picked and available in ESP-IDF >= v4.4.1
CVE-2020-26142
Security Advisory for WLAN FragAttacks
Espressif Advisory: AR2023-008
Impact: Applicable for ESP-IDF
Resolution: Please see advisory for details
CVE-2020-12638
Security Advisory Concerning Wi-Fi Authentication Bypass
Espressif Advisory: AR2020-002
Impact: Applicable for ESP-IDF
Resolution: Please see advisory for details