CVE-2026-42854

arduino-esp32: Stack buffer overflow in WebServer multipart boundary parsing leads to remote crash potential RCE

Assigner: GitHub_M
Reserved: 30.04.2026 Published: 12.05.2026 Updated: 12.05.2026

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	espressif
Product	arduino-esp32
Versions	Version < 3.3.8 is affected

Vendor

espressif

Product

arduino-esp32

Versions

Version < 3.3.8 is affected

References

Problem Types

CWE-121: Stack-based Buffer Overflow CWE

CVE-2026-42854 PUBLISHED

arduino-esp32: Stack buffer overflow in WebServer multipart boundary parsing leads to remote crash potential RCE

Metrics

Product Status

References

Problem Types