Espressif ESP-IDF Bluetooth AVRCP Command Handling Out-of-Bounds Read Vulnerability

A vulnerability in the Bluetooth stack of Espressif's Internet of Things Development Framework (ESP-IDF) has been identified. When the Audio/Video Remote Control Profile (AVRCP) is enabled on ESP32 devices, receiving a malformed VENDOR DEPENDENT command from a peer device can cause the Bluetooth stack to read memory before verifying the length of the command buffer. This flaw may result in an out-of-bounds read, potentially disclosing unintended memory contents or causing erratic behavior.

Impact

Exploitation of this vulnerability can lead to an out-of-bounds read in the Bluetooth stack, which may cause undefined behavior, such as program crashes or system instability.

Reproduction

To reproduce this vulnerability, send a malformed VENDOR DEPENDENT command over Bluetooth AVRCP to an ESP32 device with the affected ESP-IDF version. The command must have a buffer shorter than what the AVRCP protocol requires, which will trigger the Bluetooth stack to read beyond the intended memory bounds.

Remediation

Users can update to Espressif's ESP-IDF versions 5.5.2, 5.4.4, 5.3.5, 5.2.7 or 5.1.7, where this vulnerability has been fixed.