PatchSiren cyber security CVE debrief

CVE-2026-45352 yhirose CVE debrief

A vulnerability in cpp-httplib prior to version 0.43.4 allows remote attackers to cause denial of service through unbounded memory allocation and process crash. The issue stems from improper validation of negative chunk-size values in HTTP chunked Transfer-Encoding. The ChunkedDecoder::read_payload function uses std::strtoul() to parse chunk sizes, which silently accepts leading minus signs and performs unsigned wrap-around per C standard §7.22.1.4. While the code rejects ULONG_MAX (result of parsing '-1'), other negative values like '-2' pass validation and produce near-maximum unsigned values. This causes the server's read loop to attempt consuming excessive bytes from the network, leading to memory exhaustion and crash. The vulnerability has a CVSS 3.1 score of 5.3 (MEDIUM severity) with an attack vector of network, low attack complexity, and no required privileges or user interaction. The issue results in availability impact only. This CVE was published on May 29, 2026 and is currently undergoing analysis in the NVD.

Vendor: yhirose
Product: cpp-httplib
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-29
Original CVE updated: 2026-05-29
Advisory published: 2026-05-29
Advisory updated: 2026-05-29

Who should care

Organizations running network services built with cpp-httplib versions prior to 0.43.4, particularly those exposed to untrusted network traffic. Development teams using cpp-httplib for HTTP server implementations should prioritize patching. Security operations teams should monitor for potential denial of service conditions in affected applications.

Technical summary

The vulnerability exists in the ChunkedDecoder::read_payload function within httplib.h. The function parses HTTP chunked transfer encoding chunk-size fields using std::strtoul(), which according to C standard §7.22.1.4 accepts optional leading whitespace and sign characters. When a negative value such as '-2' is provided, strtoul() returns ULONG_MAX minus the absolute value (e.g., 0xFFFFFFFFFFFFFFFE for '-2'). The existing validation at line 12833 only rejects ULONG_MAX specifically, allowing other wrapped negative values to pass. The resulting large value is assigned to chunk_remaining and controls byte consumption in the network read loop, causing unbounded memory allocation and subsequent process termination. The fix in version 0.43.4 addresses this validation gap.

Defensive priority

medium

Recommended defensive actions

Upgrade cpp-httplib to version 0.43.4 or later to remediate this vulnerability
If immediate patching is not feasible, implement network-level controls to filter malformed HTTP requests with negative chunk-size values in Transfer-Encoding headers
Monitor application memory usage and implement resource limits to detect potential exploitation attempts
Review application logs for unusual chunked transfer encoding patterns that may indicate probing or exploitation
Assess exposure of cpp-httplib-based services to untrusted networks and consider restricting access where possible

Evidence notes

Vulnerability description derived from official CVE record and NVD source data. Technical details confirmed through GitHub Security Advisory GHSA-h6wq-j5mv-f3q8. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. CWE classifications: CWE-20 (Improper Input Validation), CWE-770 (Allocation of Resources Without Limits or Throttling), CWE-1285 (Improper Validation of Specified Index, Position, or Offset in Input).

Official resources

2026-05-29