Description
miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPAction header with a single quote. Attackers can trigger an out-of-bounds memory read by exploiting improper length validation in ParseHttpHeaders(), where the parsed length underflows to a large unsigned value when passed to memchr(), causing the process to scan memory far beyond the allocated HTTP request buffer.
Published: 2026-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an integer underflow in SOAPAction header parsing within the ParseHttpHeaders() routine of miniupnpd. When a specially crafted SOAPAction header containing a single quote is processed, the measured length underflows, yielding a large unsigned value that is used by memchr(). This causes the routine to scan far beyond the allocated HTTP request buffer, potentially leading to an out‑of‑bounds read. The resulting denial of service or accidental disclosure of memory contents demonstrates the severity of the flaw, consistent with CWE‑125 (Out‑of‑Bounds Read) and CWE‑191 (Signed/Unsigned Conversion Errors).

Affected Systems

Products affected by this vulnerability are the miniupnp project’s miniupnpd daemon. No specific version information is provided in the CNA data, so all installed builds of miniupnpd remain potentially vulnerable until the patch is applied.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact, and the lack of EPSS data implies no quantifiable probability yet. Because the fault is triggered by a malformed HTTP header, an attacker only needs network access to target a running miniupnpd instance; no additional privileges are required. The flaw is not catalogued by CISA KEV at present, but the potential for remote denial of service and information disclosure warrants prompt attention.

Generated by OpenCVE AI on April 18, 2026 at 08:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest miniupnpd release that incorporates the fix for the integer underflow in ParseHttpHeaders().
  • If an immediate upgrade is not possible, replace the vulnerable ParseHttpHeaders() function with the patched code from the commit referenced in the advisories.
  • Verify that the SOAPAction header is now validated correctly and that out‑of‑bounds reads can no longer occur.

Generated by OpenCVE AI on April 18, 2026 at 08:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 21:45:00 +0000

Type Values Removed Values Added
References

Mon, 20 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
References

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Miniupnp Project
Miniupnp Project miniupnpd
Vendors & Products Miniupnp Project
Miniupnp Project miniupnpd

Fri, 17 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPAction header with a single quote. Attackers can trigger an out-of-bounds memory read by exploiting improper length validation in ParseHttpHeaders(), where the parsed length underflows to a large unsigned value when passed to memchr(), causing the process to scan memory far beyond the allocated HTTP request buffer.
Title miniupnpd Integer Underflow SOAPAction Header Parsing
Weaknesses CWE-125
CWE-191
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Miniupnp Project Miniupnpd
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-04T21:40:40.859Z

Reserved: 2026-04-06T20:18:57.634Z

Link: CVE-2026-5720

cve-icon Vulnrichment

Updated: 2026-04-20T14:51:39.399Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T22:16:33.803

Modified: 2026-05-04T22:16:19.147

Link: CVE-2026-5720

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses