{"id":"CVE-2026-28525","summary":"SWUpdate Integer Underflow in Multipart Upload Parser","details":"SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read past the allocated receive buffer to a local IPC socket.","modified":"2026-07-08T08:12:46.185168687Z","published":"2026-04-23T20:59:31.492Z","database_specific":{"cwe_ids":["CWE-125","CWE-191"],"cna_assigner":"VulnCheck","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28525.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28525.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28525"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/swupdate-integer-underflow-in-multipart-upload-parser"},{"type":"FIX","url":"https://github.com/sbabic/swupdate/commit/beee2dc0feef1cfe84f1aa6fc980e104b2e47a74"},{"type":"PACKAGE","url":"https://github.com/sbabic/swupdate"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sbabic/swupdate","events":[{"introduced":"0"},{"fixed":"beee2dc0feef1cfe84f1aa6fc980e104b2e47a74"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:swupdate:swupdate:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"2025.12"}]}}],"versions":["2025.12","2025.05","2024.12","2024.05.2","2024.05","2023.12.1","2023.12","2023.05","2022.12","2022.05","2021.11","2021.04","2020.11","2020.04","2020.04-rc2","2020.04-rc1","2019.11","2019.11-rc1","2019.04","2019.04-rc1","2018.11","2018.11-rc1","2018.03","2018.03-rc1","2017.11","2017.07","2017.07-rc1","2017.04","2017.04-rc2","2017.04-rc1","2017.01","2017.01-rc1","2016.10","2016.10-rc1","2016.07","2016.07-rc3","2016.04","2016.04-rc1","2015.07","2014.07"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28525.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}