Description

When the ESP32 is in advertising mode, if it receives a connection request containing an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, advertising may stop unexpectedly. In this case, the controller may incorrectly report a connection event to the host, which can cause the application layer to assume that the device has successfully established a connection.

Impact

In affected ESP32 software versions, the controller does not correctly handle invalid connection requests with AA = 0x00000000 or 0xFFFFFFFF:

• Advertising is stopped unexpectedly.
• A connection event is incorrectly reported to the host.
• The invalid AA is later detected and ignored, but no error or disconnection event is propagated to the application layer.

As a result, the application layer may continue to believe that the device is connected, even though no valid connection exists. This issue affects only the ESP32 series. Other Espressif chip families, including ESP32-C, ESP32-S, and ESP32-H, are not affected.

Resolution

According to the Bluetooth LE specification (Core Specification Vol 6, Part B), the Access Addresses 0x00000000 and 0xFFFFFFFF are explicitly defined as invalid. Any device that uses these values to transmit packets or initiate a connection is non-compliant with the Bluetooth LE specification.

With this fix, when the ESP32 is advertising and receives a connection request using an Access Address of 0x00000000 or 0xFFFFFFFF, The request is ignored in accordance with the Bluetooth LE specification:

• Advertising continues without interruption.
• No invalid connection is established.
• Application layer behavior remains consistent with protocol expectations.

Fix Commit Records

The following commits resolve this issue:

Credits

We would like to thank Dominik Schreiber from SBA Research for reporting this vulnerability and following up on responsible disclosure.