VIR Vulnerability Intelligence Relay

CVE-2026-28525

medium
Published 2026-04-23 · Modified 2026-05-26
CVSS v3
6.8
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
CVSS v2
VIR risk
6.8

Description

SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read past the allocated receive buffer to a local IPC socket.

Predictions

Exploit likelihood
77%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-28525

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed2022.12+dfsg-4+deb12u2
debian debianbullseyeaffected
debian debianforkyfixed2025.12+dfsg-9
debian debiansidfixed2025.12+dfsg-9
debian debiantrixiefixed2024.12.1+dfsg-3+deb13u2

References

CWEs

CWE-125 CWE-191

Verify integrity in audit chain (admin only). AS-IS.