PatchSiren cyber security CVE debrief
CVE-2026-28525 sbabic CVE debrief
CVE-2026-28525 is an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c of SWUpdate. This vulnerability allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. The vulnerability is triggered when the buffer length falls within a specific range, causing an out-of-bounds heap read past the allocated receive buffer to a local IPC socket. The CVSS score for this vulnerability is 8.2, indicating a high severity.
- Vendor
- sbabic
- Product
- swupdate
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-23
- Original CVE updated
- 2026-06-04
- Advisory published
- 2026-04-23
- Advisory updated
- 2026-06-04
Who should care
Users of SWUpdate, particularly those who use it in networked environments, should be aware of this vulnerability. The vulnerability can be exploited by unauthenticated attackers, making it a significant concern for systems that expose SWUpdate to the internet or untrusted networks.
Technical summary
The vulnerability is caused by an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function. This function fails to properly validate the buffer length, leading to an out-of-bounds heap read when the buffer length falls within a specific range. The vulnerability can be exploited by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing.
Defensive priority
High
Recommended defensive actions
- Apply the patch: [ref-4](https://github.com/sbabic/swupdate/commit/beee2dc0feef1cfe84f1aa6fc980e104b2e47a74)
- Refer to the vendor advisory: [ref-5](https://www.vulncheck.com/advisories/swupdate-integer-underflow-in-multipart-upload-parser)
Evidence notes
The vulnerability was reported by [email protected] and is associated with CWE-125 and CWE-191.
Official resources
-
CVE-2026-28525 CVE record
CVE.org
-
CVE-2026-28525 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
CVE-2026-28525 was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-28525) and modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-28525).