CVE-2026-42854
Arduino · arduino-esp32
The arduino-esp32 WebServer component contains a stack overflow vulnerability in the multipart form parser, potentially allowing remote code execution via a long HTTP boundary string.
Executive summary
A stack overflow vulnerability in the arduino-esp32 WebServer component, found in versions prior to 3.3.8, could allow remote code execution through malicious HTTP requests.
Vulnerability
The vulnerability exists in the multipart form parser, which allocates a Variable Length Array (VLA) on the stack based on an attacker-controlled HTTP header without length limits. An attacker can trigger a stack overflow by sending an excessively long boundary string.
Business impact
With a CVSS score of 9.8, this vulnerability allows for remote code execution on embedded systems. This could result in a complete system takeover of affected microcontrollers, potentially leading to unauthorized control of connected hardware or device bricking.
Remediation
Immediate Action: Update the arduino-esp32 library to version 3.3.8 or later.
Proactive Monitoring: Monitor for unexpected device crashes or reboots, which may indicate attempted exploitation of this stack overflow.
Compensating Controls: Implement input validation at the network perimeter to drop HTTP requests containing abnormally long boundary strings in the Content-Type header.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Due to the high risk of remote code execution, users of the arduino-esp32 core should upgrade to version 3.3.8 immediately. Ensure all build environments are updated to include this security fix to prevent potential device compromise.