Cyber Resilience

CVE-2026-25532

Medium

Published: 04 February 2026

Published
04 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
EPSS Score 0.0004 13.8th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25532 is a medium-severity Wrap or Wraparound (CWE-191) vulnerability in Espressif Esp-Idf. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25532 is an integer underflow vulnerability (CWE-191) in the Wi-Fi Protected Setup (WPS) Enrollee implementation of ESP-IDF, the Espressif IoT Development Framework. Affected versions include 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6. The issue arises when processing malformed EAP-Expanded (WSC) messages, where the fragment length (frag_len) is calculated by subtracting header sizes from the total packet length. If an attacker sends a packet with an EAP Length field that covers only the header and flags—omitting expected payload such as the 2-byte Message Length field when WPS_MSG_FLAG_LEN is set—frag_len becomes negative. This negative value is implicitly cast to a size_t when passed to wpabuf_put_data(), resulting in a very large unsigned value. The vulnerability has a CVSS v3.1 base score of 6.3 (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).

An attacker on an adjacent network (AV:A) with no privileges (PR:N) can exploit this vulnerability with low attack complexity (AC:L), though it requires user interaction (UI:R), such as initiating a WPS enrollment process on the target device. By crafting and transmitting a truncated EAP-WSC packet, the attacker triggers the underflow, leading to a massive allocation or memory corruption via wpabuf_put_data(). This results in high availability impact (A:H), potentially causing denial of service through crashes or resource exhaustion, and low integrity impact (I:L) from potential data tampering.

The vulnerability has been addressed in patched versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7 of ESP-IDF. Mitigation details are available in the corresponding GitHub commit fixes from the espressif/esp-idf repository, including commits 60f992a26de17bb5406f2149a2f8282dd7ad1c59, 6f6766f917bc940ffbcc97eac4765a6ab15d5f79, 73a587d42a57ece1962b6a4c530b574600650f63, b209fae993d795255827ce6b2b0d6942a377f5d4, and b88befde6b5addcdd8d7373ce55c8052dea1e855. Security practitioners should update affected ESP-IDF deployments and disable WPS if not required.

EU & UK References

Vulnerability details

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a vulnerability exists in the WPS (Wi-Fi Protected Setup) Enrollee implementation where malformed EAP-WSC packets with truncated payloads can cause integer underflow…

more

during fragment length calculation. When processing EAP-Expanded (WSC) messages, the code computes frag_len by subtracting header sizes from the total packet length. If an attacker sends a packet where the EAP Length field covers only the header and flags but omits the expected payload (such as the 2-byte Message Length field when WPS_MSG_FLAG_LEN is set), frag_len becomes negative. This negative value is then implicitly cast to size_t when passed to wpabuf_put_data(), resulting in a very large unsigned value. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Integer underflow triggers memory corruption/massive allocation in WPS packet processing, directly enabling application/system exploitation to achieve denial of service (crash or resource exhaustion) with low-integrity side effects.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-66409Same product: Espressif Esp-Idf
CVE-2024-53406Same product: Espressif Esp-Idf
CVE-2026-37231Shared CWE-191
CVE-2026-40386Shared CWE-191
CVE-2025-0727Shared CWE-191
CVE-2026-31417Shared CWE-191
CVE-2026-34064Shared CWE-191
CVE-2026-7424Shared CWE-191
CVE-2026-31662Shared CWE-191
CVE-2025-21276Shared CWE-191

Affected Assets

espressif
esp-idf
5.1.6, 5.2.6, 5.3.4, 5.4.3, 5.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches (5.5.3+) that eliminate the integer-underflow flaw in WPS fragment-length handling.

prevent

Mandates validation of all input fields (EAP Length, flags, Message Length) before arithmetic, blocking the truncated-packet underflow.

prevent

Requires disabling non-essential WPS Enrollee functionality when not needed, eliminating the vulnerable code path entirely.

References