CVE-2026-42854

Arduino · arduino-esp32

The arduino-esp32 WebServer component contains a stack overflow vulnerability in the multipart form parser, potentially allowing remote code execution via a long HTTP boundary string.

Executive summary

A stack overflow vulnerability in the arduino-esp32 WebServer component, found in versions prior to 3.3.8, could allow remote code execution through malicious HTTP requests.

Vulnerability

The vulnerability exists in the multipart form parser, which allocates a Variable Length Array (VLA) on the stack based on an attacker-controlled HTTP header without length limits. An attacker can trigger a stack overflow by sending an excessively long boundary string.

Business impact

With a CVSS score of 9.8, this vulnerability allows for remote code execution on embedded systems. This could result in a complete system takeover of affected microcontrollers, potentially leading to unauthorized control of connected hardware or device bricking.

Remediation

Immediate Action: Update the arduino-esp32 library to version 3.3.8 or later.

Proactive Monitoring: Monitor for unexpected device crashes or reboots, which may indicate attempted exploitation of this stack overflow.

Compensating Controls: Implement input validation at the network perimeter to drop HTTP requests containing abnormally long boundary strings in the Content-Type header.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Due to the high risk of remote code execution, users of the arduino-esp32 core should upgrade to version 3.3.8 immediately. Ensure all build environments are updated to include this security fix to prevent potential device compromise.