Skip to main content
Mallory
Back to vulnerabilities
High

Improper exposure of TEE secure-service wrappers in ESP-IDF esp_tee

IdentifiersCVE-2026-45328CWE-20· Improper Input Validation

CVE-2026-45328 affects Espressif ESP-IDF in versions 5.5.4 and 6.0. The esp_tee component exposes secure-service wrappers implemented in esp_secure_services.c and esp_secure_services_iram.c. These wrappers bridge calls from the user application running in the Rich Execution Environment (REE) to TEE-protected hardware peripherals, including AES, SHA, ECC, HMAC, SPI, MMU, and WDT, as well as security-sensitive features such as attestation, OTA updates, and secure storage. Based on the available information, the vulnerability consists of unintended exposure of interfaces that mediate access from the non-secure application environment to trusted services and protected hardware resources. Specific root-cause details, affected functions beyond the named source files, and exploit mechanics are not currently available.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation could allow an attacker operating in the user application or REE context to invoke or abuse trusted secure-service interfaces intended to protect access to sensitive peripherals and security features. Depending on implementation details not provided in the available content, this could result in unauthorized use of cryptographic hardware, interference with secure storage, misuse of attestation or OTA functionality, or compromise of security boundaries between the REE and TEE. The precise impact is not fully documented in the provided material.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, reduce exposure by disabling or avoiding use of the affected esp_tee secure-service interfaces where feasible, minimizing untrusted application access to REE code paths that can reach these wrappers, and restricting deployment of firmware built on vulnerable ESP-IDF versions in production environments. Additional mitigation guidance is not available from the provided content.

Remediation

Patch, then assume compromise.

Upgrade ESP-IDF to a patched release. The issue is reported as fixed in versions 5.5.5 and 6.0.1. Organizations should identify deployments using ESP-IDF 5.5.4 or 6.0, rebuild affected firmware against the patched SDK, and redeploy updated images to devices.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Espressif SystemsEsp-Idfapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

6 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-45328
NVD
nvd.nist.gov/vuln/detail/CVE-2026-45328
MITRE CWE · CWE-20
Improper Input Validation
Patch
github.com/espressif/esp-idf/commit/145ba4c42dc8283054cfde9a1c3470db7399192f
Patch
github.com/espressif/esp-idf/commit/440a5d1906502023f2a0fb0aecbdf0602d14acbf
Patch
github.com/espressif/esp-idf/commit/764626a1b7c85b943d207da08a2f8f7d7f3def4d
Patch
github.com/espressif/esp-idf/commit/7867f4a57560bf9fc4a931e37ba02b7a3e9f406b
Patch
github.com/espressif/esp-idf/commit/afd14ab113acd0ca369965404c99ac42e74d4fcd
Patch
github.com/espressif/esp-idf/commit/eebabaff2fdc273b1530fe66e55fb3bcd181dfd6
Patch
github.com/espressif/esp-idf/security/advisories/GHSA-mmgp-73p4-92xp