PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46532 espressif CVE debrief

CVE-2026-46532 is a MEDIUM severity vulnerability in the Espressif Internet of Things (IOT) Development Framework (ESP-IDF). An out-of-bounds read exists in the BlueDroid AVRCP vendor-command parser (avrc_pars_vendor_cmd() in components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c) in versions 5.2.6, 5.3.5, 5.4.4, 5.5.3, and 6.0. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.4, and 6.0.1.

Vendor
espressif
Product
esp-idf
CVSS
MEDIUM 4.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-11
Advisory published
2026-06-10
Advisory updated
2026-06-11

Who should care

Users of Espressif Internet of Things (IOT) Development Framework (ESP-IDF) versions 5.2.6, 5.3.5, 5.4.4, 5.5.3, and 6.0 should apply patches to prevent exploitation.

Technical summary

The vulnerability is caused by an out-of-bounds read in the BlueDroid AVRCP vendor-command parser. The CVSS score is 4.6, indicating a MEDIUM severity vulnerability.

Defensive priority

MEDIUM

Recommended defensive actions

  • Upgrade to a patched version (5.2.7, 5.3.6, 5.4.5, 5.5.4, or 6.0.1) of Espressif Internet of Things (IOT) Development Framework (ESP-IDF).
  • Apply patches provided by the vendor.

Evidence notes

CVE-2026-46532 was published on 2026-06-10T02:16:33.287Z and modified on 2026-06-11T17:36:20.577Z.

Official resources

CVE-2026-46532 was published on 2026-06-10T02:16:33.287Z and modified on 2026-06-11T17:36:20.577Z.