What is CVE-2026-25532?

CVE-2026-25532 is a medium-severity vulnerability in Espressif Esp-idf, classified under Integer Underflow. CVSS score: 6.3/10. Published 2026-02-04.

How severe is CVE-2026-25532?

Medium severity. CVSS v3 base score is 6.3 out of 10.

Integer overflow in Espressif Esp-idf

CVE-2026-25532

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a vulnerability exists in the WPS (Wi-Fi Protected Setup) Enrollee implementation where malformed EAP-WSC packets w…

EPSS: 0.000 (9.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.3 (Medium). Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H.

Affected products

Espressif Esp-idf — versions = 5.5.2, = 5.4.3, = 5.3.4

Weakness classification (CWE)

CWE-191 — Integer Underflow

References

https://github.com/espressif/esp-idf/security/advisories/GHSA-m2h2-683f-9mw7 (x_refsource_CONFIRM)
https://github.com/espressif/esp-idf/commit/60f992a26de17bb5406f2149a2f8282dd7ad1c59 (x_refsource_MISC)
https://github.com/espressif/esp-idf/commit/6f6766f917bc940ffbcc97eac4765a6ab15d5f79 (x_refsource_MISC)
https://github.com/espressif/esp-idf/commit/73a587d42a57ece1962b6a4c530b574600650f63 (x_refsource_MISC)
https://github.com/espressif/esp-idf/commit/b209fae993d795255827ce6b2b0d6942a377f5d4 (x_refsource_MISC)
https://github.com/espressif/esp-idf/commit/b88befde6b5addcdd8d7373ce55c8052dea1e855 (x_refsource_MISC)
https://github.com/espressif/esp-idf/commit/cad36beb4cde27abcf316cd90d8d8dddbc6f213a (x_refsource_MISC)
https://github.com/espressif/esp-idf/commit/de28801e8ea6a736b6f0db6fc0c682739363bb41 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-25532?: CVE-2026-25532 is a medium-severity vulnerability in Espressif Esp-idf, classified under Integer Underflow. CVSS score: 6.3/10. Published 2026-02-04.
How severe is CVE-2026-25532?: Medium severity. CVSS v3 base score is 6.3 out of 10.