CVE-2026-45328
CriticalCVSS 9.3Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
The esp_tee component in versions 5.5.4 and 6.0 of the ESF-IDF framework has a vulnerability that allows unauthorized access to secure hardware services. This issue has been patched in versions 5.5.5 and 6.0.1.
Risk Assessment
Organizations using the vulnerable versions may be exposed to attacks that could lead to unauthorized access to sensitive data and security features.
Recommendation
It is recommended to upgrade to versions 5.5.5 or 6.0.1 to eliminate this vulnerability and secure systems against potential threats.
Original NVD description (English source)
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, the esp_tee component exposes secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c that bridge calls from the user application (i.e. the REE) to TEE-protected hardware peripherals (AES, SHA, ECC, HMAC, SPI, MMU, WDT) and to the security feature like attestation, OTA updates, secure storage. This issue has been patched in versions 5.5.5 and 6.0.1.

