CVE-2026-42854: Arduino ESP32 WebServer RCE Vulnerability

CVE-2026-42854 Overview

CVE-2026-42854 is a stack buffer overflow [CWE-121] in the arduino-esp32 WebServer multipart form parser. The vulnerability affects arduino-esp32, the Arduino core for ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6, and ESP32-H2 microcontrollers. Versions prior to 3.3.8 allocate a Variable Length Array (VLA) on the stack using a size derived from the attacker-controlled Content-Type HTTP header boundary parameter. The parser enforces no length limit on this value. An unauthenticated attacker can send a crafted multipart request with a boundary string longer than approximately 8000 characters to overflow the 8192-byte loopTask stack and trigger a crash or remote code execution.

Critical Impact

Unauthenticated remote attackers can crash ESP32 devices running vulnerable arduino-esp32 WebServer code or execute arbitrary code on the microcontroller by sending a single oversized multipart boundary header.

Affected Products

• arduino-esp32 versions prior to 3.3.8
• ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6, and ESP32-H2 microcontrollers running affected firmware
• Any firmware using the bundled WebServer multipart form parser

Discovery Timeline

• 2026-05-12 - CVE-2026-42854 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42854

Vulnerability Analysis

The flaw resides in the WebServer library's multipart form parser shipped with arduino-esp32. When the parser handles a POST request with Content-Type: multipart/form-data, it extracts the boundary parameter from the header. The parser then allocates a Variable Length Array on the stack sized according to the boundary string length. No upper bound is applied before the allocation.

The FreeRTOS loopTask that runs the Arduino sketch has a fixed stack of 8192 bytes. A boundary string longer than approximately 8000 characters causes the VLA allocation alone to consume the entire task stack. The write through the parser then corrupts adjacent stack frames, FreeRTOS task control structures, and return addresses. The result is either an immediate crash or controlled overwrite of the saved return state.

Because Xtensa and RISC-V ESP32 targets typically run without robust stack canaries or ASLR in Arduino builds, an attacker who controls the overflow payload can pivot execution. The vulnerability requires no authentication and no user interaction.

Root Cause

The root cause is unchecked use of attacker-supplied data to size a stack allocation. The parser trusts the boundary field length from a remote HTTP client and feeds it directly into a VLA declaration. Combined with the small fixed loopTask stack and the absence of length validation, the design produces a classic stack-based buffer overflow [CWE-121].

Attack Vector

The attack is network-reachable. Any HTTP client capable of reaching the ESP32 WebServer port can deliver the payload. The attacker issues a single HTTP POST request with a Content-Type: multipart/form-data; boundary=<long_string> header where the boundary value exceeds approximately 8000 characters. The vulnerable allocation occurs before any application-level authentication runs, so endpoints protected by login logic remain exposed.

No verified public exploit code is available at the time of publication. See the GitHub Security Advisory GHSA-8cmm-3887-r32j for the vendor's technical write-up.

Detection Methods for CVE-2026-42854

Indicators of Compromise

• HTTP POST requests to ESP32 devices containing Content-Type: multipart/form-data headers with boundary= values longer than 1024 bytes
• Unexpected reboots, watchdog resets, or Guru Meditation Error panic traces on ESP32 devices following inbound HTTP traffic
• Serial log entries referencing loopTask stack overflow or corrupted backtrace pointers

Detection Strategies

• Inspect HTTP traffic at network boundaries for abnormally long Content-Type header values targeting embedded device IP ranges
• Deploy IDS or WAF rules that flag multipart/form-data boundary parameters exceeding RFC 2046 practical limits (70 characters per the RFC)
• Correlate device crash telemetry with inbound HTTP request logs to identify probing attempts

Monitoring Recommendations

• Forward ESP32 serial or syslog output to a central log collector and alert on repeated panic or reboot events
• Monitor network flows to and from IoT subnets for unusual HTTP POST request sizes targeting embedded endpoints
• Track firmware version inventory across deployed devices to identify hosts still running arduino-esp32 below 3.3.8

How to Mitigate CVE-2026-42854

Immediate Actions Required

• Upgrade arduino-esp32 to version 3.3.8 or later and rebuild all affected firmware images
• Restrict network reachability of ESP32 WebServer endpoints to trusted management VLANs or VPN segments
• Audit deployed firmware for use of the WebServer multipart parser and prioritize patching of internet-exposed devices

Patch Information

The vulnerability is fixed in arduino-esp32 version 3.3.8. The patch enforces a length limit on the multipart boundary parameter before any stack allocation. Refer to the Espressif arduino-esp32 Security Advisory for release notes and commit references. Firmware maintainers must rebuild and reflash devices because arduino-esp32 is a compile-time dependency.

Workarounds

• Place vulnerable devices behind a reverse proxy or WAF that strips or truncates oversized Content-Type headers before forwarding traffic
• Disable HTTP POST handling or remove multipart form upload routes from sketches that do not require file upload functionality
• Block inbound connections to ESP32 HTTP ports from untrusted networks at the firewall until firmware can be updated

# Example nginx reverse proxy rule to reject oversized Content-Type headers
http {
    map $http_content_type $blocked_boundary {
        default 0;
        "~*boundary=[^;]{1024,}" 1;
    }
    server {
        listen 80;
        location / {
            if ($blocked_boundary) { return 400; }
            proxy_pass http://esp32-device-ip;
        }
    }
}