ESF-IDF: Stack-Based Out-of-Bounds Write in JPEG Decoder DQT Marker Parsing
Summary
| CVE | CVE-2026-55687 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-10 17:16:59 UTC |
| Updated | 2026-07-10 21:16:57 UTC |
| Description | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. Versions 6.0.1, 5.5.4, 5.4.4, 5.3.5, and possibly prior contain an out-of-bounds write in jpeg_parse_dqt_marker() in components/esp_driver_jpeg/jpeg_parse_marker.c because the attacker-controlled DQT marker Tq nibble is used as an index into the qt_tbl array without validating that it is in the range 0..3, allowing malformed JPEG input to corrupt stack memory and reliably trigger a denial of service. This issue is fixed in version 6.0.2 and is expected to be fixed in versions 5.5.5, 5.4.5, and 5.3.6. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-121 | CWE-787 | CWE-121 CWE-121: Stack-based Buffer Overflow | CWE-787 CWE-787: Out-of-bounds Write
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/espressif/esp-idf/commit/82c5c2dad45313786fb7e973059bc9094d95... | [email protected] | github.com | |
| github.com/espressif/esp-idf/commit/303c01305acb8ae5c4eb24a1786300681b48... | [email protected] | github.com | |
| github.com/espressif/esp-idf/security/advisories/GHSA-v6r2-f6p2-88cj | [email protected] | github.com | |
| github.com/espressif/esp-idf/commit/6ffafe8e93142ef8ffe51a6311d4abfc0f10... | [email protected] | github.com | |
| github.com/espressif/esp-idf/commit/f2df45bcedef11354e83c31a9718d680a684... | [email protected] | github.com | |
| github.com/espressif/esp-idf/releases/tag/v6.0.2 | [email protected] | github.com | |
| github.com/espressif/esp-idf/commit/7ccfc00f39faf1b7e5919f45b56fe44ba699... | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.