Integer Underflow Vulnerability in SWUpdate from Software Technologies
CVE-2026-28525

8.2HIGH

Key Information:

Vendor: Sbabic
Status: Swupdate
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-28525?

An integer underflow vulnerability exists in the multipart upload parser of SWUpdate, specifically in the mongoose_multipart.c file. This weakness allows unauthenticated attackers to execute a denial of service attack by sending specially crafted HTTP POST requests to the /upload endpoint. The crafted requests can exploit a malformed multipart boundary and controlled TCP stream timing, leading to an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function. This can trigger an out-of-bounds heap read, resulting in data being written beyond the allocated receive buffer to a local IPC socket, thereby compromising system stability.

Affected Version(s)

swupdate 0 <= 2025.12

swupdate beee2dc0feef1cfe84f1aa6fc980e104b2e47a74

References

https://github.com/sbabic/swupdate/commit/beee2dc0feef1cf...

patch

https://www.vulncheck.com/advisories/swupdate-integer-und...

third-party-advisory

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Feb 27, 2026

Credit

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc.

VulnCheck

CVE-2026-28525 Data

JSON

Sbabic

What is CVE-2026-28525?

Affected Version(s)

References

CVSS V4

Timeline

Credit