CVE-2026-28525

MEDIUM

SWUpdate Integer Underflow in Multipart Upload Parser

Title source: cna

Description

SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read past the allocated receive buffer to a local IPC socket.

References (2)

Core 2

Core References

Patch patch

https://github.com/sbabic/swupdate/commit/beee2dc0feef1cfe84f1aa6fc980e104b2e47a74

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/swupdate-integer-underflow-in-multipart-upload-parser

Scores

CVSS v3 6.8

EPSS 0.0032

EPSS Percentile 23.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-125 CWE-191

Status published

Products (3)

sbabic/swupdate < 2025.12

sbabic/swupdate beee2dc0feef1cfe84f1aa6fc980e104b2e47a74

swupdate/swupdate < 2025.12

Published Apr 23, 2026

Tracked Since Apr 24, 2026