PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45328 espressif CVE debrief

A critical vulnerability was found in Espressif Internet of Things (IOT) Development Framework (ESF-IDF). The vulnerability is caused by the esp_tee component exposing secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c that bridge calls from the user application (i.e. the REE) to TEE-protected hardware peripherals (AES, SHA, ECC, HMAC, SPI, MMU, WDT) and to the security feature like attestation, OTA updates, secure storage. This issue has been patched in versions 5.5.5 and 6.0.1.

Vendor
espressif
Product
esp-idf
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-11
Advisory published
2026-06-10
Advisory updated
2026-06-11

Who should care

Users of Espressif Internet of Things (IOT) Development Framework (ESF-IDF) versions 5.5.4 and 6.0 should update to versions 5.5.5 and 6.0.1 respectively.

Technical summary

The vulnerability has a CVSS score of 9.3 and is classified as CRITICAL. The affected products are Espressif ESP-IDF versions 5.5.4 and 6.0. The vulnerability is caused by the esp_tee component exposing secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c.

Defensive priority

high

Recommended defensive actions

  • Update to versions 5.5.5 and 6.0.1 respectively.
  • Refer to [ref-4](ref-4) for patch details.
  • Refer to [ref-10](ref-10) for vendor advisory.

Evidence notes

The vulnerability was published on 2026-06-10T02:16:32.687Z and modified on 2026-06-11T18:15:51.000Z.

Official resources

This CVE debrief was generated based on the provided source corpus and official links only.