Description
SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read past the allocated receive buffer to a local IPC socket.
Published: 2026-04-23
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the updated description, SWUpdate contains an integer underflow in the multipart upload parser within mg_http_multipart_continue_wait_for_chunk() in mongoose_multipart.c. A crafted HTTP POST to /upload with a malformed multipart boundary and controlled TCP stream timing can trigger the underflow when the buffer length falls within a specific range, resulting in an out‑of‑bounds heap read past the allocated receive buffer into a local IPC socket. This corrupts internal structures, causing the update daemon to crash and denying service. The weakness maps to CWE‑125 and CWE‑191.

Affected Systems

The vulnerable code resides in the SWUpdate project maintained by sbabic. No explicit version range is provided; the flaw exists in the code as of the referenced commit. Any system running SWUpdate without the applied changes from that commit is susceptible to exploitation.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, but the EPSS score is less than 1%, suggesting that while the exploit can be achieved, its likelihood of emerging in the wild is low at present. The vulnerability is not in the CISA KEV catalog. Exploitation requires unauthenticated access to the /upload endpoint and the ability to send a crafted request; attack can be performed from any network location that can reach the endpoint. Successful exploitation would disrupt the OTA update process and could be leveraged for repeated denial‑of‑service attacks against affected devices.

Generated by OpenCVE AI on May 26, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SWUpdate to a version that includes the fix from the commit beee2dc0feef1cfe84f1aa6fc980e104b2e47a74 or newer.
  • Restrict the /upload endpoint to authenticated clients, or place it behind an authenticated reverse proxy to prevent unauthenticated attackers from sending malicious POST requests.
  • If an immediate unavailable, mitigate by blocking untrusted traffic to /upload and applying rate limiting or boundary size checks to reduce the impact of malformed multipart uploads.

Generated by OpenCVE AI on May 26, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 00:00:00 +0000

Type Values Removed Values Added
Description SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read that writes data beyond the allocated receive buffer to a local IPC socket. SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read past the allocated receive buffer to a local IPC socket.

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Sbabic
Sbabic swupdate
Vendors & Products Sbabic
Sbabic swupdate

Sat, 25 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read that writes data beyond the allocated receive buffer to a local IPC socket.
Title SWUpdate Integer Underflow in Multipart Upload Parser
Weaknesses CWE-125
CWE-191
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Sbabic Swupdate
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:41:53.783Z

Reserved: 2026-02-27T21:07:55.468Z

Link: CVE-2026-28525

cve-icon Vulnrichment

Updated: 2026-04-25T01:32:18.736Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-23T21:16:05.367

Modified: 2026-04-24T14:50:56.203

Link: CVE-2026-28525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T01:30:15Z

Weaknesses