Description
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.
Published: 2026-05-12
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stack buffer overflow in the Arduino Core for ESP32 family when parsing a multipart HTTP boundary. The length of the boundary string is derived from the Content-Type header, and if it exceeds about 8000 characters, it overflows the 8192‑byte task stack used by the loop task. This causes a crash and can lead to remote code execution. The weakness is a classic buffer overflow (CWE‑121).

Affected Systems

The flaw affects the espressif arduino-esp32 core for ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Versions prior to 3.3.8 are vulnerable. Firmware built with 3.3.8 or newer is considered safe.

Risk and Exploitability

The CVSS score of 9.8 marks it as critical. Public exploitation is not documented and no EPSS score is available, but the flaw is remotely exploitable through a crafted HTTP request to a device running the vulnerable core. There is no listing in the CISA Known Exploited Vulnerabilities catalog, indicating no confirmed exploits yet. However, the lack of a length limit and the stack overflow nature make it a high‑risk threat if the device is exposed to untrusted traffic.

Generated by OpenCVE AI on May 12, 2026 at 23:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the arduino‑esp32 core to version 3.3.8 or later on all ESP32 devices.
  • Replace any custom web server integration that relies on an older core library to eliminate the VLA code path.
  • If an immediate firmware upgrade is not viable, mitigate by enforcing a maximum multipart boundary length (e.g., 8000 bytes) or blocking oversized HTTP requests at the network perimeter.

Generated by OpenCVE AI on May 12, 2026 at 23:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Espressif
Espressif arduino-esp32
Vendors & Products Espressif
Espressif arduino-esp32

Tue, 12 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.
Title arduino-esp32: Stack buffer overflow in WebServer multipart boundary parsing leads to remote crash potential RCE
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Espressif Arduino-esp32
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T21:56:33.437Z

Reserved: 2026-04-30T16:44:48.378Z

Link: CVE-2026-42854

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:34.930

Modified: 2026-05-12T22:16:34.930

Link: CVE-2026-42854

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:45:25Z

Weaknesses