CVE-2026-28525

MEDIUM 6.8

SWUpdate Integer Underflow in Multipart Upload Parser

CVSS Score

6.8

EPSS Score

0.0%

EPSS Percentile

0th

SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read that writes data beyond the allocated receive buffer to a local IPC socket.

CWE	CWE-191 CWE-125
Vendor	sbabic
Product	swupdate
Published	Apr 23, 2026

Stay Ahead of the Next One

Get instant alerts for sbabic swupdate

Be the first to know when new medium vulnerabilities affecting sbabic swupdate are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

sbabic / swupdate

0 ≤ 2025.12

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/sbabic/swupdate/commit/beee2dc0feef1cfe84f1aa6fc980e104b2e47a74 vulncheck.com: https://www.vulncheck.com/advisories/swupdate-integer-underflow-in-multipart-upload-parser

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc. VulnCheck