CVE-2026-42854
CriticalSummary
In versions prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field. Sending a boundary string longer than ~8000 characters overflows the stack and may lead to remote code execution.
Risk Assessment
Organizations may face system crashes and potential remote code execution by attackers, leading to serious security breaches.
Recommendation
It is recommended to upgrade to version 3.3.8 or later to mitigate this vulnerability and implement additional safeguards against overflow attacks.
Original NVD description (English source)
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.

