CVE-2021-28135: 
Espressif ESP-IDF Tools vulnerability analysis and mitigation

The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier contains a vulnerability (CVE-2021-28135) that affects the handling of continuous unsolicited LMP responses. This vulnerability was part of a larger set of Bluetooth vulnerabilities known as BrakTooth, discovered in 2021. The issue specifically affects ESP32 devices running the affected firmware versions (MITRE CVE, GBHackers).

The vulnerability allows attackers within radio range to trigger a denial of service condition by flooding the target device with LMP Feature Response data. This flaw exists in the Bluetooth Classic (BR/EDR) protocol implementation of the ESP-IDF framework. The attack can be executed using a cheap ESP32 development kit with custom LMP firmware and a PC running proof-of-concept tools (GBHackers).

When successfully exploited, the vulnerability can cause the target ESP32 device to crash, resulting in a denial of service condition. This can affect various types of devices including smartphones, infotainment systems, laptops, desktop systems, audio devices, home entertainment systems, keyboards, toys, and industrial equipment like programmable logic controllers (PLCs) (GBHackers).

Espressif Systems has released patches to address this vulnerability in updated versions of the ESP-IDF framework. Users are advised to update their ESP-IDF installations to a version newer than 4.4 to protect against this vulnerability (MITRE CVE, Espressif ESP-IDF).