CVE-2025-66409
Published: 02 December 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-66409 is an out-of-bounds read vulnerability (CWE-125) in the Espressif IoT Development Framework (ESF-IDF), affecting versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier. The issue resides in the Bluetooth stack on ESP32 devices when AVRCP is enabled. It occurs when the stack processes a malformed VENDOR DEPENDENT command from a peer device, accessing memory before validating the command buffer length. This flaw carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating critical severity due to high impacts on confidentiality and availability.
An attacker within Bluetooth range can exploit this vulnerability remotely without privileges or user interaction by sending a specially crafted VENDOR DEPENDENT command to a vulnerable ESP32 device with AVRCP enabled. Successful exploitation triggers an out-of-bounds read, potentially leaking sensitive memory contents or inducing unexpected behavior such as crashes or denial of service.
Mitigation requires updating to a patched version of ESF-IDF, as evidenced by fixes in the Espressif esp-idf repository. Relevant commits include 075ed218cadb8088155521cd8a795d8a626519fb, 2f788e59ee361eee230879ae2ec9cf5c893fe372, 798029129a71c802cff0e75eb59f902bca8f1946, 999710fccf95ae128fe51b5679d6b7c75c50d902, and d5db5f60fc1dcfdd8cd3ee898fdefaa272988ace, which address the buffer length validation in the Bluetooth AVRCP handling.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Out-of-bounds read enables memory leak (exfiltration over Bluetooth) and crash (endpoint DoS via application exploitation).