CVE-2026-42854 Espressif CVE debrief

Who should care

Developers and operators using arduino-esp32 on ESP32-family devices, especially if the firmware exposes a WebServer interface that accepts multipart/form-data requests from untrusted networks.

Technical summary

According to the NVD record and the GitHub security advisory, the WebServer multipart parser allocates a variable-length array on the stack using the Content-Type boundary parameter without enforcing a length limit. In affected versions prior to 3.3.8, a sufficiently long boundary string can overflow the 8192-byte loopTask stack, leading to a crash and possible code execution. NVD classifies the weakness as CWE-121 and assigns CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

Urgent. This is a critical, unauthenticated network attack surface issue with crash and potential code-execution impact, so affected firmware should be upgraded to 3.3.8 or later as soon as possible.

Recommended defensive actions

• Upgrade arduino-esp32 to version 3.3.8 or later.
• Inventory firmware that uses arduino-esp32 WebServer functionality, especially any multipart upload handling.
• Restrict exposure of device web interfaces to trusted networks or authenticated management paths until patched.
• If immediate upgrading is not possible, disable or remove multipart upload features where feasible.
• Monitor affected devices for unexpected crashes or repeated restarts that could indicate probing or exploitation attempts.

Evidence notes

The supplied NVD record lists the vulnerability as analyzed, with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and weakness CWE-121. The vendor advisory at GitHub states that the multipart form parser used an attacker-controlled boundary length to size a stack VLA, and that versions prior to 3.3.8 are affected. The CVE was published on 2026-05-12 and last modified on 2026-05-18.

Official resources