Cyber Posture

CVE-2026-42854

Critical

Published: 12 May 2026

Published
12 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 41.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42854 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an…

more

attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-121

References