CVE-2026-28525

NameCVE-2026-28525
DescriptionSWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read that writes data beyond the allocated receive buffer to a local IPC socket.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
swupdate (PTS)bullseye2020.11-2+deb11u1vulnerable
bookworm2022.12+dfsg-4+deb12u1vulnerable
trixie2024.12.1+dfsg-3+deb13u1vulnerable
forky2025.12+dfsg-8vulnerable
sid2025.12+dfsg-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
swupdatesource(unstable)2025.12+dfsg-9

Notes

[trixie] - swupdate <no-dsa> (Minor issue)
[bookworm] - swupdate <no-dsa> (Minor issue)
[bullseye] - swupdate <postponed> (Minor issue; can be fixed in next update)
Fixed by: https://github.com/sbabic/swupdate/commit/beee2dc0feef1cfe84f1aa6fc980e104b2e47a74
Search for package or bug name: Reporting problems