CVE-2026-28525

Published: Apr 23, 2026

Modified: May 25, 2026

PUBLISHED

CVSS v3.1

6.8

MEDIUM

Description

SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read past the allocated receive buffer to a local IPC socket.

Vendor	Product	Versions
sbabic	swupdate	affected `0 - <= 2025.12` unaffected `beee2dc0feef1cfe84f1aa6fc980e104b2e47a74`

Weaknesses (CWE)

CWE-191

CWE-125

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/sbabic/swupdate/commit/beee2dc0feef1cfe84f1aa6fc980e104b2e47a74

patch

https://www.vulncheck.com/advisories/swupdate-integer-underflow-in-multipart-upload-parser

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-28525

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References