Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-42854: Arduino ESP32 Web Server Crashes from Malicious Data
CVE-2026-42854
Summary
A bug in the Arduino ESP32's web server can cause it to crash if it receives a large amount of data from a website. This could potentially allow an attacker to take control of the device. Update to the latest version of the Arduino ESP32 software to fix this issue.
Original title
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates ...
Original description
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.
nvd CVSS3.1
9.8
Vulnerability type
CWE-121
Stack-based Buffer Overflow
Published: 12 May 2026 · Updated: 28 May 2026 · First seen: 12 May 2026