PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45329 espressif CVE debrief

A vulnerability was discovered in Espressif Internet of Things (IOT) Development Framework (ESP-IDF) versions 5.5.4 and 6.0. The issue lies in the ESP-TEE secure-service wrappers, which only validated some of the caller-supplied pointer arguments. This oversight allowed callers to supply pointers into TEE-exclusive memory as inputs, enabling the peripheral to read TEE memory and return results derived from it to the REE. The impact of this vulnerability varies depending on the wrapper, potentially leading to the disclosure of sensitive data resident in TEE memory.

Vendor
espressif
Product
esp-idf
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-11
Advisory published
2026-06-10
Advisory updated
2026-06-11

Who should care

Users of ESP-IDF versions 5.5.4 and 6.0 should be aware of this vulnerability and take necessary actions to mitigate its effects.

Technical summary

The vulnerability is caused by insufficient validation of caller-supplied pointer arguments in ESP-TEE secure-service wrappers. This allows an attacker to supply pointers to TEE-exclusive memory, potentially leading to sensitive data disclosure.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to ESP-IDF version 5.5.5 or 6.0.1, which includes patches for this vulnerability. [ref-4], [ref-5], [ref-6]
  • Refer to the vendor advisory for more information: [ref-7]

Evidence notes

The vulnerability was patched in versions 5.5.5 and 6.0.1 of ESP-IDF.

Official resources

CVE-2026-45329 was published on 2026-06-10T02:16:32.817Z and modified on 2026-06-11T18:04:26.353Z.