The Espressif esp-idf Internet of Things Development Framework contains a heap-based buffer overflow vulnerability (CWE-122) in the protocomm component's Security Scheme 2 (SRP6a) session setup. Specifically, the function handle_session_command0() improperly trusts the length of a client-supplied protobuf field for the SRP6a username and copies it into a buffer derived from a narrower destination type. This mismatch leads to truncation versus copy asymmetry, resulting in heap corruption when an oversized username is provided. The issue affects esp-idf versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0 and has been patched in subsequent minor versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.

Successful exploitation of this vulnerability can cause heap corruption, which may lead to denial of service or potentially arbitrary code execution. The CVSS v3.1 score is 7.1 (high severity) with attack vector requiring adjacent network access, low attack complexity, no privileges or user interaction required, and impact limited to integrity and high impact on availability.

A fix is available and has been released in esp-idf versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1. Users should upgrade to these patched versions to remediate the vulnerability. No additional mitigation steps are indicated by the vendor advisory.