CVE-2026-45352 Overview
CVE-2026-45352 is a denial-of-service vulnerability in cpp-httplib, a C++11 single-file header-only HTTP/HTTPS library by yhirose. Versions prior to 0.43.4 mishandle the chunk-size field of HTTP chunked Transfer-Encoding. A negative chunk-size value such as -2 triggers unsigned integer wrap-around inside ChunkedDecoder::read_payload, producing a near-maximum allocation length. The result is unbounded memory allocation and process termination on any server or client that consumes attacker-controlled chunked HTTP traffic.
Critical Impact
A single unauthenticated network request containing a negative chunk-size crashes the cpp-httplib process and exhausts host memory, disrupting availability of any service built on the library.
Affected Products
- yhirose cpp-httplib versions prior to 0.43.4
- Applications statically linking the vulnerable httplib.h header
- HTTP servers and clients built on cpp-httplib that process chunked Transfer-Encoding
Discovery Timeline
- 2026-05-29 - CVE-2026-45352 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-45352
Vulnerability Analysis
The flaw resides in ChunkedDecoder::read_payload within httplib.h. The function parses the chunk-size field of an incoming HTTP chunked Transfer-Encoding stream using std::strtoul(). Per the C standard §7.22.1.4, strtoul silently accepts a leading minus sign and performs unsigned wrap-around. Calling strtoul("-2", …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE).
The library's single validation guard at line 12833 rejects only ULONG_MAX, the value produced by parsing "-1". Every other negative input bypasses validation. The library then stores the wrapped value in chunk_remaining, which controls the byte count consumed from the network. The server enters a read loop sized to nearly the full address space, allocating buffers until the process is killed. This maps to [CWE-20] Improper Input Validation.
Root Cause
The root cause is reliance on strtoul semantics without rejecting negative inputs before unsigned conversion. The chunk-size parser accepts any value that does not exactly equal ULONG_MAX, leaving the wrap-around range fully reachable by attacker-controlled chunk metadata.
Attack Vector
An unauthenticated remote attacker sends an HTTP request or response containing a chunked Transfer-Encoding body with a chunk-size header line such as -2\r\n. The cpp-httplib endpoint parses the value, wraps it to a near-ULONG_MAX length, and attempts to consume that many bytes from the socket, triggering memory exhaustion and process crash. No authentication or user interaction is required.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-h6wq-j5mv-f3q8 for vendor technical details.
Detection Methods for CVE-2026-45352
Indicators of Compromise
- HTTP requests or responses containing a chunked Transfer-Encoding body where the chunk-size line begins with - (e.g., -1, -2, -FF).
- Sudden cpp-httplib process termination correlated with rapid resident memory growth.
- Repeated SIGKILL or out-of-memory (OOM) kernel events affecting services linked against httplib.h.
Detection Strategies
- Inspect HTTP traffic at proxies, WAFs, or IDS sensors for chunk-size fields containing non-hexadecimal characters or a leading minus sign.
- Hunt process telemetry for cpp-httplib-based binaries terminating with OOM signals shortly after receiving chunked requests.
- Search build manifests, SBOMs, and source trees for httplib.h versions below 0.43.4.
Monitoring Recommendations
- Alert on host memory utilization spikes that coincide with inbound HTTP traffic to services known to embed cpp-httplib.
- Log and review HTTP request headers where Transfer-Encoding: chunked is present, focusing on malformed chunk-size syntax.
- Track service restart counts for cpp-httplib-based applications as a leading indicator of repeated exploitation attempts.
How to Mitigate CVE-2026-45352
Immediate Actions Required
- Upgrade cpp-httplib to version 0.43.4 or later and rebuild all dependent binaries.
- Inventory applications that statically link httplib.h and prioritize patching internet-exposed services first.
- Deploy WAF or reverse-proxy rules that reject chunked requests with malformed chunk-size fields until patching completes.
Patch Information
The vulnerability is fixed in cpp-httplib0.43.4. The fix corrects chunk-size validation in ChunkedDecoder::read_payload so that negative inputs are rejected before being stored in chunk_remaining. Refer to the GitHub Security Advisory GHSA-h6wq-j5mv-f3q8 for the patch commit and release notes.
Workarounds
- Front cpp-httplib services with a hardened reverse proxy (e.g., nginx, HAProxy) that re-chunks or validates Transfer-Encoding before forwarding.
- Filter inbound HTTP traffic to drop requests whose chunk-size lines contain a - character or non-hex digits.
- Apply per-process memory limits via cgroups or ulimit to contain the blast radius of crashes until the patch is deployed.
# Configuration example: systemd memory cap for a cpp-httplib service
[Service]
MemoryMax=512M
MemoryHigh=384M
Restart=on-failure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
