{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-66409","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-11-28T23:33:56.365Z","datePublished":"2025-12-02T18:09:03.069Z","dateUpdated":"2025-12-02T18:46:18.126Z"},"containers":{"cna":{"title":"ESF-IDF has an Out-of-Bounds Read in ESP32 Bluetooth AVRCP Command Handling","problemTypes":[{"descriptions":[{"cweId":"CWE-125","lang":"en","description":"CWE-125: Out-of-bounds Read","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":2.7,"baseSeverity":"LOW","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U","version":"4.0"}}],"references":[{"name":"https://github.com/espressif/esp-idf/security/advisories/GHSA-qhf9-vr2h-jh96","tags":["x_refsource_CONFIRM"],"url":"https://github.com/espressif/esp-idf/security/advisories/GHSA-qhf9-vr2h-jh96"},{"name":"https://github.com/espressif/esp-idf/commit/075ed218cadb8088155521cd8a795d8a626519fb","tags":["x_refsource_MISC"],"url":"https://github.com/espressif/esp-idf/commit/075ed218cadb8088155521cd8a795d8a626519fb"},{"name":"https://github.com/espressif/esp-idf/commit/2f788e59ee361eee230879ae2ec9cf5c893fe372","tags":["x_refsource_MISC"],"url":"https://github.com/espressif/esp-idf/commit/2f788e59ee361eee230879ae2ec9cf5c893fe372"},{"name":"https://github.com/espressif/esp-idf/commit/798029129a71c802cff0e75eb59f902bca8f1946","tags":["x_refsource_MISC"],"url":"https://github.com/espressif/esp-idf/commit/798029129a71c802cff0e75eb59f902bca8f1946"},{"name":"https://github.com/espressif/esp-idf/commit/999710fccf95ae128fe51b5679d6b7c75c50d902","tags":["x_refsource_MISC"],"url":"https://github.com/espressif/esp-idf/commit/999710fccf95ae128fe51b5679d6b7c75c50d902"},{"name":"https://github.com/espressif/esp-idf/commit/d5db5f60fc1dcfdd8cd3ee898fdefaa272988ace","tags":["x_refsource_MISC"],"url":"https://github.com/espressif/esp-idf/commit/d5db5f60fc1dcfdd8cd3ee898fdefaa272988ace"},{"name":"https://github.com/espressif/esp-idf/commit/daeeba230327176b9627b1caa94acdc54065c4b7","tags":["x_refsource_MISC"],"url":"https://github.com/espressif/esp-idf/commit/daeeba230327176b9627b1caa94acdc54065c4b7"}],"affected":[{"vendor":"espressif","product":"esp-idf","versions":[{"version":">= 5.5-beta1, <= 5.5.1","status":"affected"},{"version":">= 5.4-beta1, <= 5.4.3","status":"affected"},{"version":">= 5.3-beta1, <= 5.3.4","status":"affected"},{"version":">= 5.2-beta1, <= 5.2.6","status":"affected"},{"version":"<= 5.1.6","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2025-12-02T18:09:03.069Z"},"descriptions":[{"lang":"en","value":"ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, when AVRCP is enabled on ESP32, receiving a malformed VENDOR DEPENDENT command from a peer device can cause the Bluetooth stack to access memory before validating the command buffer length. This may lead to an out-of-bounds read, potentially exposing unintended memory content or causing unexpected behavior."}],"source":{"advisory":"GHSA-qhf9-vr2h-jh96","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-12-02T18:43:14.641038Z","id":"CVE-2025-66409","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-12-02T18:46:18.126Z"}}]}}