CVE-2024-53845

ESPTouch is a connection protocol for internet of things devices. In the ESPTouchV2 protocol, while there is an option to use a custom AES key, there is no option to set the IV (Initialization Vector) prior to versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. The IV is set to zero and remains constant throu...

CVE-2019-12587

The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 allows the installation of a zero Pairwise Master Key (PMK) after the completion of any EAP authentication method, which allows attackers in radio range to replay, decrypt, or spoof frames...

CVE-2021-28139

The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield pa...

CVE-2022-24893

ESP-IDF is the official development framework for Espressif SoCs. In Espressif’s Bluetooth Mesh SDK (ESP-BLE-MESH), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the SegN field of the Transaction Start PDU. This can result in memory corruption...

CVE-2024-33453

Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to obtain sensitive information via the externalId component.

CVE-2024-53406

Espressif Esp idf v5.3.0 is vulnerable to Insecure Permissions resulting in Authentication bypass. In the reconnection phase, the device reuses the session key from a previous connection session, creating an opportunity for attackers to execute security bypass attacks.