diff --git a/examples/bluetooth/bluedroid/ble/ble_ancs/main/ble_ancs.c b/examples/bluetooth/bluedroid/ble/ble_ancs/main/ble_ancs.c
index 379d1ceda5..813a677b51 100644
--- a/examples/bluetooth/bluedroid/ble/ble_ancs/main/ble_ancs.c
+++ b/examples/bluetooth/bluedroid/ble/ble_ancs/main/ble_ancs.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Unlicense OR CC0-1.0
  */
@@ -126,14 +126,24 @@ void esp_receive_apple_data_source(uint8_t *message, uint16_t message_len)
     switch (Command_id)
     {
         case CommandIDGetNotificationAttributes: {
+            // Security fix: Check minimum message length before accessing message[1..4]
+            if (message_len < 5) {
+                ESP_LOGE(BLE_ANCS_TAG, "Message too short for NotificationAttributes");
+                break;
+            }
             uint32_t NotificationUID = (message[1]) | (message[2]<< 8) | (message[3]<< 16) | (message[4] << 24);
             uint32_t remian_attr_len = message_len - 5;
             uint8_t *attrs = &message[5];
             ESP_LOGI(BLE_ANCS_TAG, "recevice Notification Attributes response Command_id %d NotificationUID %" PRIu32, Command_id, NotificationUID);
             while(remian_attr_len > 0) {
+                // Security fix: Need at least 3 bytes for AttributeID(1) + len(2)
+                if (remian_attr_len < 3) {
+                    ESP_LOGE(BLE_ANCS_TAG, "Incomplete attribute header");
+                    break;
+                }
                 uint8_t AttributeID = attrs[0];
                 uint16_t len = attrs[1] | (attrs[2] << 8);
-                if(len > (remian_attr_len -3)) {
+                if(len > (remian_attr_len - 3)) {
                     ESP_LOGE(BLE_ANCS_TAG, "data error");
                     break;
                 }
diff --git a/examples/bluetooth/bluedroid/ble/ble_ancs/main/ble_ancs_demo.c b/examples/bluetooth/bluedroid/ble/ble_ancs/main/ble_ancs_demo.c
index 506765c8f3..d5f6992f92 100644
--- a/examples/bluetooth/bluedroid/ble/ble_ancs/main/ble_ancs_demo.c
+++ b/examples/bluetooth/bluedroid/ble/ble_ancs/main/ble_ancs_demo.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Unlicense OR CC0-1.0
  */
@@ -31,6 +31,8 @@
 #define ADV_CONFIG_FLAG                           (1 << 0)
 #define SCAN_RSP_CONFIG_FLAG                      (1 << 1)
 #define INVALID_HANDLE                             0
+#define ANCS_CMD_BUFFER_MAX_SIZE                   600
+
 static uint8_t adv_config_done = 0;
 static bool get_service = false;
 static esp_gattc_char_elem_t *char_elem_result   = NULL;
@@ -168,15 +170,26 @@ esp_noti_attr_list_t p_attr[8] = {
 
 void esp_get_notification_attributes(uint8_t *notificationUID, uint8_t num_attr, esp_noti_attr_list_t *p_attr)
 {
-    uint8_t cmd[600] = {0};
+    uint8_t cmd[ANCS_CMD_BUFFER_MAX_SIZE] = {0};
     uint32_t index = 0;
+
     cmd[0] = CommandIDGetNotificationAttributes;
     index ++;
     memcpy(&cmd[index], notificationUID, ESP_NOTIFICATIONUID_LEN);
     index += ESP_NOTIFICATIONUID_LEN;
     while(num_attr > 0) {
+        // Security fix: Check buffer boundary before writing
+        if (index >= ANCS_CMD_BUFFER_MAX_SIZE) {
+            ESP_LOGE(BLE_ANCS_TAG, "Command buffer overflow in get_notification_attributes");
+            return;
+        }
         cmd[index ++] = p_attr->noti_attribute_id;
         if (p_attr->attribute_len > 0) {
+            // Need 2 more bytes for attribute_len
+            if ((index + 2) > ANCS_CMD_BUFFER_MAX_SIZE) {
+                ESP_LOGE(BLE_ANCS_TAG, "Command buffer overflow in get_notification_attributes");
+                return;
+            }
             cmd[index ++] = p_attr->attribute_len;
             cmd[index ++] = (p_attr->attribute_len << 8);
         }
@@ -195,8 +208,15 @@ void esp_get_notification_attributes(uint8_t *notificationUID, uint8_t num_attr,
 
 void esp_get_app_attributes(uint8_t *appidentifier, uint16_t appidentifier_len, uint8_t num_attr, uint8_t *p_app_attrs)
 {
-    uint8_t buffer[600] = {0};
+    uint8_t buffer[ANCS_CMD_BUFFER_MAX_SIZE] = {0};
     uint32_t index = 0;
+
+    // Security fix: Check buffer boundary before memcpy
+    if ((1 + appidentifier_len + num_attr) > ANCS_CMD_BUFFER_MAX_SIZE) {
+        ESP_LOGE(BLE_ANCS_TAG, "Buffer overflow in get_app_attributes");
+        return;
+    }
+
     buffer[0] = CommandIDGetAppAttributes;
     index ++;
     memcpy(&buffer[index], appidentifier, appidentifier_len);
@@ -215,7 +235,7 @@ void esp_get_app_attributes(uint8_t *appidentifier, uint16_t appidentifier_len,
 
 void esp_perform_notification_action(uint8_t *notificationUID, uint8_t ActionID)
 {
-    uint8_t buffer[600] = {0};
+    uint8_t buffer[ANCS_CMD_BUFFER_MAX_SIZE] = {0};
     uint32_t index = 0;
     buffer[0] = CommandIDPerformNotificationAction;
     index ++;
@@ -517,6 +537,12 @@ static void gattc_profile_event_handler(esp_gattc_cb_event_t event, esp_gatt_if_
                 esp_get_notification_attributes(notificationUID, sizeof(p_attr)/sizeof(esp_noti_attr_list_t), p_attr);
              }
         } else if (param->notify.handle == gl_profile_tab[PROFILE_A_APP_ID].data_source_handle) {
+            if ((data_buffer.len + param->notify.value_len) > sizeof(data_buffer.buffer)) {
+                ESP_LOGE(BLE_ANCS_TAG, "Data source buffer overflow detected, discarding data");
+                memset(data_buffer.buffer, 0, sizeof(data_buffer.buffer));
+                data_buffer.len = 0;
+                break;
+            }
             memcpy(&data_buffer.buffer[data_buffer.len], param->notify.value, param->notify.value_len);
             data_buffer.len += param->notify.value_len;
             if (param->notify.value_len == (gl_profile_tab[PROFILE_A_APP_ID].MTU_size - 3)) {