CVE Catalog

CVE-2026-42854

Critical
Published: Translated: NVD NIST

Summary

In versions prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field. Sending a boundary string longer than ~8000 characters overflows the stack and may lead to remote code execution.

Risk Assessment

Organizations may face system crashes and potential remote code execution by attackers, leading to serious security breaches.

Recommendation

It is recommended to upgrade to version 3.3.8 or later to mitigate this vulnerability and implement additional safeguards against overflow attacks.

Original NVD description (English source)

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS