CVE-2026-55687

HIGHPre-NVD 7.57.5
EchelonGraph scoreMEDIUM confidence

This high-severity CVE scores 7.5 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit probability: 0.4%, top 69% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: epss, secondary
Trending — 3 sources updated this week
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. Versions 6.0.1, 5.5.4, 5.4.4, 5.3.5, and possibly prior contain an out-of-bounds write in jpeg_parse_dqt_marker() in components/esp_driver_jpeg/jpeg_parse_marker.c because the attacker-controlled DQT marker Tq nibble is used as an index into the qt_tbl array without validating that it is in the range 0..3, allowing malformed JPEG input to corrupt stack memory and reliably trigger a denial of service. This issue is fixed in version 6.0.2 and is expected to be fixed in versions 5.5.5, 5.4.5, and 5.3.6.

CVSS v3
7.5
EG Score
7.5(medium)
EPSS
30.6%
KEV
Not listed

Published

July 10, 2026

Last Modified

July 10, 2026

Advisory Details (7)

Auto-updated Jul 10, 2026
Patch available. Sources: github_commit, github_release, github.
github Patch Available

Stack-Based Out-of-Bounds Write in JPEG Decoder DQT Marker Parsing · Advisory · espressif/esp-idf · GitHub

https://github.com/espressif/esp-idf/security/advisories/GHSA-v6r2-f6p2-88cj
github_release Patch Available

ESP-IDF Release v6.0.2

Patch available: espressif/esp-idf v6.0.2

https://github.com/espressif/esp-idf/releases/tag/v6.0.2
github_commit

commit f2df45bcedef (espressif/esp-idf)

Fix landed in espressif/esp-idf commit f2df45bcedef — awaiting tagged release

https://github.com/espressif/esp-idf/commit/f2df45bcedef11354e83c31a9718d680a68422c4
github_commit

commit 82c5c2dad453 (espressif/esp-idf)

Fix landed in espressif/esp-idf commit 82c5c2dad453 — awaiting tagged release

https://github.com/espressif/esp-idf/commit/82c5c2dad45313786fb7e973059bc9094d95c3b2
github_commit

commit 7ccfc00f39fa (espressif/esp-idf)

Fix landed in espressif/esp-idf commit 7ccfc00f39fa — awaiting tagged release

https://github.com/espressif/esp-idf/commit/7ccfc00f39faf1b7e5919f45b56fe44ba699d7c1
github_commit

commit 6ffafe8e9314 (espressif/esp-idf)

Fix landed in espressif/esp-idf commit 6ffafe8e9314 — awaiting tagged release

https://github.com/espressif/esp-idf/commit/6ffafe8e93142ef8ffe51a6311d4abfc0f10fe77
github_commit

commit 303c01305acb (espressif/esp-idf)

Fix landed in espressif/esp-idf commit 303c01305acb — awaiting tagged release

https://github.com/espressif/esp-idf/commit/303c01305acb8ae5c4eb24a1786300681b4822a4

Weakness Classification(2)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 14× in last 7d / 14× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-14 17:58 UTCEG score recompute
  2. 2026-07-14 05:47 UTCEG score recompute
  3. 2026-07-13 22:31 UTCEPSS rescore
  4. 2026-07-13 17:36 UTCEG score recompute
  5. 2026-07-13 06:13 UTCEPSS rescore
  6. 2026-07-13 06:13 UTCEPSS rescore
  7. 2026-07-13 05:25 UTCEG score recompute
  8. 2026-07-12 17:15 UTCEG score recompute
  9. 2026-07-12 05:46 UTCEPSS rescore
  10. 2026-07-12 05:04 UTCEG score recompute
  11. 2026-07-11 16:54 UTCEG score recompute
  12. 2026-07-11 04:44 UTCEG score recompute
  13. 2026-07-10 16:34 UTCEG score recompute
  14. 2026-07-10 16:32 UTCMITRE cvelistV5first tracked

Frequently asked(5)

What is CVE-2026-55687?
CVE-2026-55687 is a high vulnerability published on July 10, 2026. ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. Versions 6.0.1, 5.5.4, 5.4.4, 5.3.5, and possibly prior contain an out-of-bounds write in jpegparsedqtmarker() in components/espdriverjpeg/jpegparsemarker.c because the attacker-controlled DQT marker Tq nibble is used as an…
When was CVE-2026-55687 disclosed?
CVE-2026-55687 was first published in the National Vulnerability Database on July 10, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-55687 actively exploited?
CVE-2026-55687 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 30.6% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-55687?
CVE-2026-55687 has a CVSS v3 base score of 7.5 (NVD).
How do I remediate CVE-2026-55687?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-55687, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-55687

Explore →

Is Your Infrastructure Affected by CVE-2026-55687?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.