Vulnerability Details CVE-2026-28525
SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read past the allocated receive buffer to a local IPC socket.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 23.2%
CVSS Severity
CVSS v3 Score 6.8
References
Products affected by CVE-2026-28525
-
cpe:2.3:a:swupdate:swupdate:2014.07
-
cpe:2.3:a:swupdate:swupdate:2015.07
-
cpe:2.3:a:swupdate:swupdate:2016.04
-
cpe:2.3:a:swupdate:swupdate:2016.07
-
cpe:2.3:a:swupdate:swupdate:2016.10
-
cpe:2.3:a:swupdate:swupdate:2017.01
-
cpe:2.3:a:swupdate:swupdate:2017.04
-
cpe:2.3:a:swupdate:swupdate:2017.07
-
cpe:2.3:a:swupdate:swupdate:2017.11
-
cpe:2.3:a:swupdate:swupdate:2018.03
-
cpe:2.3:a:swupdate:swupdate:2018.11
-
cpe:2.3:a:swupdate:swupdate:2019.04
-
cpe:2.3:a:swupdate:swupdate:2019.11
-
cpe:2.3:a:swupdate:swupdate:2020.04
-
cpe:2.3:a:swupdate:swupdate:2020.11
-
cpe:2.3:a:swupdate:swupdate:2021.04
-
cpe:2.3:a:swupdate:swupdate:2021.11
-
cpe:2.3:a:swupdate:swupdate:2022.05
-
cpe:2.3:a:swupdate:swupdate:2022.12
-
cpe:2.3:a:swupdate:swupdate:2023.05
-
cpe:2.3:a:swupdate:swupdate:2023.12
-
cpe:2.3:a:swupdate:swupdate:2023.12.1
-
cpe:2.3:a:swupdate:swupdate:2024.05
-
cpe:2.3:a:swupdate:swupdate:2024.05.2
-
cpe:2.3:a:swupdate:swupdate:2024.12
-
cpe:2.3:a:swupdate:swupdate:2024.12.1
-
cpe:2.3:a:swupdate:swupdate:2025.05
-
cpe:2.3:a:swupdate:swupdate:2025.12