CVE Catalog

CVE-2026-45328

CriticalCVSS 9.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.02%

7th percentile — higher than 7% of all known CVEs

Summary

The esp_tee component in versions 5.5.4 and 6.0 of the ESF-IDF framework has a vulnerability that allows unauthorized access to secure hardware services. This issue has been patched in versions 5.5.5 and 6.0.1.

Risk Assessment

Organizations using the vulnerable versions may be exposed to attacks that could lead to unauthorized access to sensitive data and security features.

Recommendation

It is recommended to upgrade to versions 5.5.5 or 6.0.1 to eliminate this vulnerability and secure systems against potential threats.

Original NVD description (English source)

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, the esp_tee component exposes secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c that bridge calls from the user application (i.e. the REE) to TEE-protected hardware peripherals (AES, SHA, ECC, HMAC, SPI, MMU, WDT) and to the security feature like attestation, OTA updates, secure storage. This issue has been patched in versions 5.5.5 and 6.0.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS