← Back

CVE-2026-45541

nvd nist
Published: Jun 10, 2026Modified: Jun 11, 2026

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Exploitability: 3.9 / Impact: 3.6
Source: security-advisories@github.com (Secondary)

Description

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp_http_server component. While parsing the client-supplied Sec-WebSocket-Protocol request header during the WebSocket handshake, the tokenisation result is dereferenced without a NULL check, so a malformed header value can crash the server before any application-level authentication runs. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.

Affected (5)

Products: Espressif: Esp Idf
Espressif
1 product
Esp Idf
Configuration A
5 vulnerable
Vulnerable SoftwareAffected Versions
Espressif
Esp Idf
Version 5.2.6
Esp Idf
Version 5.3.5
Esp Idf
Version 5.4.4
Esp Idf
Version 5.5.4
Esp Idf
Version 6.0

Related CWEs

CWE-476
NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.

References (7)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
MitigationPatchVendor Advisory

Timeline

No history available yet.