CVE-2026-42854

9.8 CRITICAL

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers

Published: 2026-05-12 · Last updated: 2026-05-18

Severity and scoring

CVSS: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121

Affected products

Vendor	Product
espressif	arduino-esp32

Description

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42854
[Vendor advisory]https://github.com/espressif/arduino-esp32/security/advisories/GHSA-8cmm-3887-r32j
[Vendor advisory]https://github.com/espressif/arduino-esp32/security/advisories/GHSA-8cmm-3887-r32j

Related CVEs

Same vendor

CVE-2026-46532 — ESF-IDF is the Espressif Internet of Things (IOT) Development Framework (4.6 MEDIUM)
CVE-2026-45542 — ESF-IDF is the Espressif Internet of Things (IOT) Development Framework (7.1 HIGH)
CVE-2026-45541 — ESF-IDF is the Espressif Internet of Things (IOT) Development Framework (7.5 HIGH)
CVE-2026-45329 — ESF-IDF is the Espressif Internet of Things (IOT) Development Framework (7.1 HIGH)
CVE-2026-45328 — ESF-IDF is the Espressif Internet of Things (IOT) Development Framework (9.3 CRITICAL)

Same CWE

CVE-2026-49760 — Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow
CVE-2026-49759 — Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by...
CVE-2026-26241 — A buffer overflow vulnerability has been reported to affect File Station 5
CVE-2026-26240 — A buffer overflow vulnerability has been reported to affect File Station 5
CVE-2026-26239 — A buffer overflow vulnerability has been reported to affect File Station 5