ESP32
by Espressif
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-28139 | Hig | 0.57 | 8.8 | 0.01 | Sep 7, 2021 | The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended… | ||
| CVE-2021-34173 | Hig | 0.49 | 7.5 | 0.01 | Jul 14, 2021 | An attacker can cause a Denial of Service and kernel panic in v4.2 and earlier versions of Espressif esp32 via a malformed beacon csa frame. The device requires a reboot to recover. | ||
| CVE-2023-35818 | Med | 0.44 | 6.8 | 0.00 | Jul 17, 2023 | An issue was discovered on Espressif ESP32 3.0 (ESP32_rev300 ROM) devices. An EMFI attack on ECO3 provides the attacker with a capability to influence the PC value at the CPU context level, regardless of Secure Boot and Flash Encryption status. By using this capability, the… | ||
| CVE-2021-28136 | Med | 0.42 | 6.5 | 0.01 | Sep 7, 2021 | The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in… | ||
| CVE-2021-28135 | Med | 0.42 | 6.5 | 0.01 | Sep 7, 2021 | The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service (crash) in ESP32 by flooding the target device with LMP… | ||
| CVE-2019-17391 | Med | 0.30 | 4.6 | 0.00 | Nov 14, 2019 | An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as… | ||
| CVE-2025-65822 | 0.00 | — | 0.00 | Dec 10, 2025 | The ESP32 system on a chip (SoC) that powers the Meatmeet Pro was found to have JTAG enabled. By leaving JTAG enabled on an ESP32 in a commercial product an attacker with physical access to the device can connect over this port and reflash the device's firmware with malicious… | |||
| CVE-2025-65821 | 0.00 | — | 0.00 | Dec 10, 2025 | As UART download mode is still enabled on the ESP32 chip on which the firmware runs, an adversary can dump the flash from the device and retrieve sensitive information such as details about the current and previous Wi-Fi network from the NVS partition. Additionally, this allows… | |||
| CVE-2025-27840 | 0.00 | — | 0.01 | Mar 8, 2025 | Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory). |
- risk 0.57cvss 8.8epss 0.01
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended…
- risk 0.49cvss 7.5epss 0.01
An attacker can cause a Denial of Service and kernel panic in v4.2 and earlier versions of Espressif esp32 via a malformed beacon csa frame. The device requires a reboot to recover.
- risk 0.44cvss 6.8epss 0.00
An issue was discovered on Espressif ESP32 3.0 (ESP32_rev300 ROM) devices. An EMFI attack on ECO3 provides the attacker with a capability to influence the PC value at the CPU context level, regardless of Secure Boot and Flash Encryption status. By using this capability, the…
- risk 0.42cvss 6.5epss 0.01
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in…
- risk 0.42cvss 6.5epss 0.01
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service (crash) in ESP32 by flooding the target device with LMP…
- risk 0.30cvss 4.6epss 0.00
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as…
- CVE-2025-65822Dec 10, 2025risk 0.00cvss —epss 0.00
The ESP32 system on a chip (SoC) that powers the Meatmeet Pro was found to have JTAG enabled. By leaving JTAG enabled on an ESP32 in a commercial product an attacker with physical access to the device can connect over this port and reflash the device's firmware with malicious…
- CVE-2025-65821Dec 10, 2025risk 0.00cvss —epss 0.00
As UART download mode is still enabled on the ESP32 chip on which the firmware runs, an adversary can dump the flash from the device and retrieve sensitive information such as details about the current and previous Wi-Fi network from the NVS partition. Additionally, this allows…
- CVE-2025-27840Mar 8, 2025risk 0.00cvss —epss 0.01
Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory).