|
Security Advisory Concerning Timing Attacks on ECDSA Peripheral in ESP32-H2
|
This advisory describes a security vulnerability in the ESP32-H2 chip's (chip revision < v1.2) ECDSA peripheral, where timing differences in signature generation can lead to potential attacks, providing solutions such as enabling Secure Boot, updating ESP-IDF, and upgrading the chip revision to v1.2 for enhanced security. |
V1.0 |
AR2024-007 |
Security |
2024.11.26 |
Notification |
|
|
Bug Advisory Concerning Software Reset Failure on ESP32-S3 After OTA Upgrade to Specific ESP-IDF Versions with Quad SPI Flash Access Frequency Increased to 120 MHz
|
This advisory describes the issue of software reset failure on ESP32-S3 after OTA upgrade to specific ESP-IDF versions with Quad SPI Flash Access Frequency increased to 120 MHz, along with corresponding solutions. |
V1.0 |
AR2024-010 |
Bugs |
2024.10.12 |
Fixed |
|
|
Security Advisory for PEAP Phase 2 Authentication
|
This advisory describes vulnerabilities in PEAP phase-2 authentication and its solution.
|
V1.1 |
AR2024-003 |
Security |
2024.09.19 |
Fixed |
|
|
Bug Advisory Concerning Applications Using Auto Light Sleep on ESP32-C6 with Certain ESP-IDF Versions
|
This advisory describes issues with certain ESP32-C6 products in applications where the Wi-Fi and Bluetooth LE modules coexist or when only the Wi-Fi module is initialized and auto light-sleep is enabled, along with the corresponding solutions. |
V1.0 |
AR2024-006 |
Bugs |
2024.08.30 |
Fixed with Commit |
|
|
Bug Advisory Concerning Data Corruption in RTC Memory of ESP32-C3 / ESP32-S3
|
The advisory describes two issues where improper power configuration leads to abnormal RTC memory data storage, along with the corresponding solutions. |
V1.0 |
AR2024-005 |
Bugs |
2024.08.15 |
Fixed |
|
|
Compatibility Advisory for ESP32-C3 Chip Revision v1.1
|
This advisory describes the required software configurations to use ESP32-C3 chip revision v1.1 and its compatibility with chip revision v0.4. |
V1.0 |
AR2024-009 |
Compatibility |
2024.07.22 |
Announcement |
|
|
Bug Advisory Concerning Low Wi-Fi Transmit Power on ESP32-C3 (chip revision v0.1 ~ v1.0)
|
This advisory describes and provides a solution for an issue that using specific PHY versions and configurations in ESP32-C3 chips (chip versions v0.1~v1.0) can result in a 20 dB decrease in Wi-Fi transmit power in certain ESP-IDF versions. |
V1.0 |
AR2024-002 |
Bugs |
2024.07.09 |
Fixed |
|
|
End-of-Life Advisory for ESP-IDF v4.4 Release Branch
|
ESP-IDF v4.4 Release Branch reaches End-of-Life in July of 2024. |
V1.0 |
AR2024-008 |
End-of-Life |
2024.07.02 |
Announcement |
|
|
Bug Advisory Concerning Upgrading ESP-IDF for Applications Using Deep-Sleep Functionality based on Certain ESP-IDF Versions
|
This advisory describes two issues that lead to abnormal functionality due to incorrect module initialization timing after deepsleep wake-up and provides solutions for users. |
V1.0 |
AR2024-004 |
Bugs |
2024.06.11 |
Fixed |
|
|
Bug Advisory Concerning Some Android Phones Being Unable to Scan the Advertising PDUs Sent by ESP32 Bluetooth LE
|
This advisory describes and provides solution about an issue in ESP32 concerning certain Android phones being unable to scan the advertising PDUs sent by Bluetooth LE when in the Wi-Fi and Bluetooth coexistence mode. |
V1.1 |
AR2024-001 |
Bugs |
2024.05.30 |
Fixed |
|
|
Bug Advisory for ESP32-C3’s Bluetooth LE Disconnection from iPhone in Bluetooth LE and Wi-Fi Coexistence Scenarios
|
This advisory describes the bug and solution for the Bluetooth LE ACL disconnection between certain new iPhone models and the ESP32-C3 series of products running specific ESP-IDF versions. Such disconnection will happen shortly after the connection is established when Wi-Fi and Bluetooth LE are used at the same time. |
V1.1 |
AR2023-002 |
Bugs |
2024.05.30 |
Fixed |
|
|
Security Advisory for WLAN FragAttacks
|
This security advisory describes vulnerabilities affecting WLAN FragAttacks and their solutions. |
V1.1 |
AR2023-008 |
Security |
2024.05.20 |
Fixed |
|
|
Advisory for the Probabilistic Failure of Wi-Fi and Bluetooth on Some Chips
|
This advisory focuses on a bug in ESP32, ESP32-C3, ESP32-S3, and ESP32-S2 chips. BLE and WiFi call the corresponding deinit function before initialization, Bluetooth and WiFi will probabilistically fail to work properly. The advisory also provides practi |
V1.0 |
AR2023-009 |
Bugs |
2024.02.07 |
Fixed |
|
|
Security Advisory for Classic Bluetooth BLUFFS Vulnerability
|
The advisory briefly describes BLUFFS vulnerability and the implementation level mitigations on ESP32 series products for now. |
V1.0 |
AR2023-010 |
Security |
2024.01.19 |
Notification |
|
|
Security Advisory Concerning Bypassing Secure Boot and Flash Encryption using CPA and FI attack on ESP32-C3 and ESP32-C6
|
The advisory focuses on a crucial hardware vulnerability discovered in ESP32-C3 and ESP32-C6 chips. The vulnerability stems from a combination of Correlation Power Analysis (CPA), Fault Injection (FI), and buffer overflow, allowing attackers to bypass the Flash Encryption feature that uses the AES-XTS algorithm, extracting sensitive device information. Additionally, the advisory offers suggestions for hardware and application countermeasures that can effectively mitigate this type of attack. |
V1.0 |
AR2023-007 |
Security |
2024.01.08 |
Notification |
|
|
End-of-Life Advisory for ESP-IDF v4.3 Release Branch
|
ESP-IDF v4.3 Release Branch reaches End-of-Life in end of 2023. |
V1.0 |
AR2023-011 |
End-of-Life |
2024.01.08 |
Announcement |
|
|
Security Advisory concerning Wi-Fi authentication bypass
|
|
V1.1 |
AR2020-002 |
Security |
2023.11.03 |
Fixed |
|
|
Advisory for Upgrading ESP-IDF for Application That Has Enabled [Auto Suspend] or [XIP from PSRAM]
|
This advisory describes the bug and solution for possible data corruption in the main flash due to concurrent access in some conditions. The cause is: concurrent access to main flash (connected to SPI0 CS0) with esp_flash API is bypassed in some conditions. Unexpected concurrent access may cause data corruption in the main flash, which may forbid the device from booting up. The solution is: applications that has enabled [Auto Suspend] or [XIP from PSRAM] shall upgrade ESP-IDF to the fixed version. |
V1.0 |
AR2023-003 |
Bugs |
2023.09.04 |
Fixed |
|
|
Security Advisory for WFA vulnerability
|
This security advisory describes vulnerabilities affecting Wi-Fi devices and their solutions. |
V1.1 |
AR2021-003 |
Security |
2023.08.25 |
Fixed |
|
|
Security Advisory Concerning Bypassing Secure Boot and Flash Encryption Using EMFI
|
This security advisory describes an issue summary and impact analysis of a technique called Electromagnetic Fault Injection (EMFI), which allows bypassing Secure Boot V2 and Flash Encryption on the ESP32 with directly jumping to the UART Download mode implemented in the ROM code. The advisory also provides practical tips for customers on using the ESP32 chip. |
V1.0 |
AR2023-005 |
Security |
2023.07.11 |
Notification |
|
|
End-of-Life Advisory for ESP-IDF v4.2 Release Branch
|
ESP-IDF v4.2 Release Branch reaches End-of-Life in June 2023. |
V1.0 |
AR2023-004 |
End-of-Life |
2023.06.30 |
Announcement |
|
|
End-of-Life Advisory for ESP-IDF v4.1 Release Branch
|
ESP-IDF v4.1 release branch reaches End-of-Life in February, 2023.a |
V1.0 |
AR2023-001 |
End-of-Life |
2023.03.01 |
Announcement |
|
|
Security Advisory for USB_OTG & USB_Serial_JTAG Download Functions of ESP32-S3 Series Products
|
For ESP32-S3 series chips manufactured on and after Date Code 2219 and modules and development boards with the PW No. of and after PW-2022-06-XXXX, the bit (BLK0 B19[7]) will be open for users to program since it will not be programmed by default. This will enable the USB_OTG Download function. |
V1.1 |
AR2022-004 |
Security |
2022.12.21 |
Fixed |
|
|
Security Advisory Concerning Breaking the Hardware AES Core and Firmware Encryption of ESP32 Chip Revision v3.0
|
This security advisory provides an issue summary and impact analysis of the side-channel attack (SCA) and body bias injection (BBI), which allow attackers to exploit the power consumption trajectory characteristics of ESP32/ESP32-S2/ESP32-S3/ESP32-C3 series chips when performing encryption and decryption to obtain sensitive information in the chip. The advisory also provides practical tips for customers on using the ESP32/ESP32-S2/ESP32-S3/ESP32-C3/ESP32-C2 series chips.
|
V2.0 |
AR2022-003 |
Security |
2022.11.18 |
Notification |
|
|
Compatibility Advisory for Chip Revision Numbering Scheme
|
Espressif introduced vM.X numbering scheme to indicate chip revisions. |
V1.0 |
AR2022-005 |
Compatibility |
2022.09.29 |
Announcement |
|
|
Optimization of eFuse Programming for ESP32 / ESP32-C3 / ESP32-S2 / ESP32-S3 Series of Chips
|
This advisory describes a rare issue related to Secure Boot v1, Secure Boot v2, and/or flash encryption, and its solution. Note that, this issue can only happen when using specific versions of ESP-IDF for ESP32, ESP32-C3, and ESP32-S2 series products.
|
V1.0 |
AR2022-006 |
Application |
2022.09.26 |
Fixed |
|
|
End-of-Life Advisory for ESP-IDF v3.3 Release Branch
|
ESP-IDF v3.3 release branch reaches End-of-Life in February, 2022. |
V1.0 |
AR2022-002 |
End-of-Life |
2022.02.22 |
Announcement |
|
|
End-of-Life Advisory for ESP-IDF v4.0 Release Branch
|
ESP-IDF v4.0 release branch reaches End-of-Life in October, 2021. |
V1.0 |
AR2021-007 |
End-of-Life |
2022.01.06 |
Announcement |
|
|
Unable to Boot Few ESP32-C3 Products Using Certain ESP-IDF Versions
|
This bug advisory describes boot problems identified in the ESP32-C3 series of products, including chips, modules, and development boards, developed and produced based on ESP-IDF v4.3-rc and ESP-IDF v4.3. The bug is caused by improper parameter configurations in the chip's initialization software and has been fixed in ESP-IDF v4.3.1 and higher. |
V1.0 |
AR2021-006 |
Bugs |
2021.12.24 |
Fixed |
|
|
Security Advisory on "BadAlloc" Vulnerabilities
|
This security advisory describes BadAlloc, which is a family of vulnerabilities related to integer overflows in heap handling functions in several RTOSes and libraries, and its solutions. |
V1.0 |
AR2021-005 |
Security |
2021.10.27 |
Fixed |
|
|
Notice on Invalid KC Certification
|
|
V1.0 |
AR2021-T-001 |
Other |
2021.09.28 |
|
|
|
Security Advisory for Bluetooth Vulnerability
|
Securtiy Advisory for various Bluetooth vulnerability, including BrakTooth, Impersonation in different pairing methods and Mesh, BIAS Vulnerability, and their solutions. |
V1.0 |
AR2021-004 |
Security |
2021.08.31 |
Fixed |
|
|
Security Advisory Concerning Partitions Using Flash Encryption
|
This security advisory describes the partition encryption issues and their solutions when using the flash encryption feature of ESP32 series products. |
V1.0 |
AR2021-002 |
Security |
2021.06.10 |
Fixed |
|
|
End-of-Life Advisory for ESP-IDF v3.1 and ESP-IDF v3.2 Release Branches
|
ESP-IDF v3.1 and v3.2 Release Branch reaches End-of-Life in October, 2020. |
V1.0 |
AR2021-001 |
End-of-Life |
2021.03.09 |
Announcement |
|
|
Security Advisory concerning fault injection and ESP32 Flash Encryption & Secure Boot V1
|
|
V1.0 |
AR2020-001 |
Security |
2020.07.20 |
Notification |
|