CVE-2026-45541
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk30th percentile - higher than 30% of all known CVEs
Summary
In the esp_http_server component, versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0 have a NULL-pointer dereference in the WebSocket subprotocol-negotiation path. This issue can crash the server while processing the Sec-WebSocket-Protocol request header, occurring before any application-level authentication.
Risk Assessment
The organization may experience server crashes, leading to service downtime and potential security issues before authentication is performed.
Recommendation
It is recommended to upgrade to versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, or 6.0.1 to mitigate this vulnerability.
Original NVD description (English source)
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp_http_server component. While parsing the client-supplied Sec-WebSocket-Protocol request header during the WebSocket handshake, the tokenisation result is dereferenced without a NULL check, so a malformed header value can crash the server before any application-level authentication runs. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.

