Espressif ESP-IDF Bluetooth Advertising Mode Vulnerability Due to Invalid Access Address

A vulnerability in the Bluetooth stack of the Espressif Internet of Things Development Framework (ESP-IDF) for the ESP32 chip has been identified. When the ESP32 is in advertising mode, it may receive connection requests with invalid Access Addresses (AA) of 0x00000000 or 0xFFFFFFFF. This can cause advertising to stop unexpectedly. The controller might then incorrectly report a connection event to the host, leading the application layer to believe a connection has been successfully established. This issue does not affect other Espressif chip families, such as ESP32-C, ESP32-S, and ESP32-H.

Impact

The vulnerability causes the ESP32 to mishandle invalid connection requests, leading to an unexpected halt in advertising and a false connection event being reported to the host. Although the invalid Access Address is eventually recognized and disregarded, no error or disconnection event is sent to the application layer. Consequently, the application may incorrectly assume a valid connection is active, even when it is not.

Remediation

Users can upgrade to Espressif ESP-IDF versions 5.5.2, 5.4.3, 5.3.5, 5.2.6, or 5.1.7 to address this vulnerability. Instructions for updating can be found in the Espressif ESP-IDF documentation.