CVE-2026-28525— SWUpdate Integer Underflow in Multipart Upload Parser

SWUpdate Integer Underflow in Multipart Upload Parser

SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read that writes data beyond the allocated receive buffer to a local IPC socket.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

整数下溢(超界折返)

SWUpdate 缓冲区错误漏洞

SWUpdate是Stefano Babic个人开发者的一个嵌入式Linux系统更新工具。 SWUpdate存在缓冲区错误漏洞，该漏洞源于mongoose_multipart.c中多部分上传解析器的整数下溢，允许未经身份验证的攻击者通过发送特制HTTP POST请求到/upload导致拒绝服务。

N/A

N/A