Software component
Impact
An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device.
Patches
To address the aforementioned issues, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations.
Patched versions of ESP-IDF Framework are listed below:
Workarounds
The ESP-IDF Wi-Fi library has been updated to include more robust length checks for received ESP-NOW data payloads. We recommend upgrading your ESP-IDF baseline to benefit from this fix.
- For ESP-IDF v5.3 and earlier, if upgrading is not feasible, a workaround can be applied by validating that the
data_len parameter received in the RX callback (registered via esp_now_register_recv_cb()) is a positive value before further processing.
- For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation.
Credits
We would like to thank Xiaobye (@xiaobye_tw) of DEVCORE Research Team for reporting this vulnerability and following up on responsible disclosure.
xiaobye-ctf Reporter
Software component
Impact
An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device.
Patches
To address the aforementioned issues, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations.
Patched versions of ESP-IDF Framework are listed below:
Workarounds
The ESP-IDF Wi-Fi library has been updated to include more robust length checks for received ESP-NOW data payloads. We recommend upgrading your ESP-IDF baseline to benefit from this fix.
data_lenparameter received in the RX callback (registered viaesp_now_register_recv_cb()) is a positive value before further processing.Credits
We would like to thank Xiaobye (@xiaobye_tw) of DEVCORE Research Team for reporting this vulnerability and following up on responsible disclosure.