CVE-2026-28525

SWUpdate Integer Underflow in Multipart Upload Parser

Assigner: VulnCheck
Reserved: 27.02.2026 Published: 23.04.2026 Updated: 23.04.2026

SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read that writes data beyond the allocated receive buffer to a local IPC socket.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
CVSS Score: 6.8

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	sbabic
Product	swupdate
Versions	Default: unaffected affected from 0 to 2025.12 (incl.) Version beee2dc0feef1cfe84f1aa6fc980e104b2e47a74 is unaffected

Vendor

sbabic

Product

swupdate

Versions

Default: unaffected

affected from 0 to 2025.12 (incl.)
Version beee2dc0feef1cfe84f1aa6fc980e104b2e47a74 is unaffected

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc. finder
VulnCheck coordinator

References

Problem Types