The vulnerability CVE-2026-25507 affects the Espressif IoT Development Framework (esp-idf), specifically in the BLE provisioning transport layer (protocomm_ble). In affected versions 5.1.6 through 5.5.2, when the device is in provisioning mode and provisioning is stopped with the parameter keep_ble_on set to true, the internal protocomm_ble state and GATT metadata are freed while the BLE stack and GATT services remain active. This leads to a use-after-free condition where subsequent BLE read or write callbacks dereference freed memory. A remote BLE client connected or newly connecting to the device can trigger this invalid memory access, potentially causing application crashes or denial of service. The vulnerability does not require privileges or authentication but does require user interaction in the form of a BLE connection attempt during provisioning mode. Espressif has patched this issue in versions 5.1.7, 5.2.7, 5.3.5, 5.4.4, and 5.5.3. No known exploits are currently reported in the wild. The CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H) indicates a medium severity with no confidentiality impact but low integrity and high availability impact due to potential denial of service.

For European organizations deploying IoT devices based on Espressif's esp-idf framework, this vulnerability poses a risk primarily to device availability and integrity during provisioning. Exploitation could cause device crashes or service interruptions, impacting operational continuity especially in critical infrastructure or industrial IoT scenarios. While confidentiality is not directly affected, denial of service on IoT endpoints could disrupt automation, monitoring, or control systems. The risk is heightened in environments where devices are provisioned via BLE in potentially untrusted or public areas, allowing remote attackers to trigger the vulnerability. This could affect sectors such as manufacturing, smart cities, healthcare, and utilities that rely on Espressif-based devices. The absence of known exploits reduces immediate risk but patching is essential to prevent future attacks.

European organizations should immediately update esp-idf to patched versions 5.1.7 or later to remediate the vulnerability. For devices already deployed, firmware updates should be prioritized during maintenance windows. Network segmentation and BLE access controls can reduce exposure by limiting provisioning mode access to trusted personnel or secure environments. Monitoring BLE provisioning activity for unusual connection attempts can help detect exploitation attempts. Developers should review provisioning workflows to avoid enabling keep_ble_on=true unnecessarily and ensure proper lifecycle management of BLE services. Additionally, implementing runtime memory protection and watchdog timers can mitigate impact from unexpected crashes. Device manufacturers should communicate patches and mitigation guidance clearly to downstream integrators and customers.