Integer Overflow Vulnerability in Tinyproxy Affects Remote Access
CVE-2026-3945

8.7HIGH

Key Information:

Vendor

Tinyproxy

Status
Tinyproxy
Vendor
CVE Published:
30 March 2026

What is CVE-2026-3945?

An integer overflow vulnerability in the HTTP chunked transfer encoding parser of Tinyproxy versions up to and including 1.11.3 allows unauthenticated remote attackers to exploit the system, causing denial of service (DoS). The vulnerability arises from improper validation when parsing chunk size values, particularly those that exceed the maximum limit (LONG_MAX). This leads to incorrect arithmetic operations, which can exhaust worker slots by causing the application to attempt to read excessive amounts of data. Consequently, this results in an inability to accept new connections, leaving the service unavailable for legitimate users.

Affected Version(s)

tinyproxy <=1.11.3

References

https://github.com/tinyproxy/tinyproxy/issues/602
issue-trackingtechnical-description
https://github.com/tinyproxy/tinyproxy/pull/603
patch
https://github.com/tinyproxy/tinyproxy/commit/969852c
patch

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muxammadiyev G'iyosiddin
.