Skip to main content
CVE Vulnerability Database

CVE-2026-5720: miniupnpd Integer Underflow DoS Vulnerability

CVE-2026-5720 is an integer underflow flaw in miniupnpd's SOAPAction header parsing that enables denial of service attacks and information disclosure through out-of-bounds memory reads. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2026-5720 Overview

CVE-2026-5720 is an integer underflow vulnerability in miniupnpd's SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPAction header with a single quote. Attackers can trigger an out-of-bounds memory read by exploiting improper length validation in ParseHttpHeaders(), where the parsed length underflows to a large unsigned value when passed to memchr(), causing the process to scan memory far beyond the allocated HTTP request buffer.

Critical Impact

This vulnerability enables attackers on adjacent networks to crash the miniupnpd daemon or potentially leak sensitive memory contents through out-of-bounds read operations, compromising the integrity and availability of network services on affected routers and IoT devices.

Affected Products

  • miniupnpd versions prior to 2.3.10
  • Network routers and IoT devices running vulnerable miniupnpd versions
  • UPnP-enabled gateway devices with miniupnpd service

Discovery Timeline

  • 2026-04-17 - CVE CVE-2026-5720 published to NVD
  • 2026-04-20 - Last updated in NVD database

Technical Details for CVE-2026-5720

Vulnerability Analysis

This integer underflow vulnerability (CWE-125: Out-of-bounds Read) resides in the HTTP header parsing logic of miniupnpd, specifically within the ParseHttpHeaders() function. When processing SOAPAction headers, the code calculates the length of the header value by subtracting pointer positions. If a malformed header contains only a single quote character, the subtraction operation results in a negative value that, when interpreted as an unsigned integer, underflows to an extremely large positive value.

The vulnerability requires an attacker to be on the adjacent network (local network access) to reach the UPnP service, which typically listens on port 1900 for SSDP discovery and port 5000 for SOAP requests. No authentication or user interaction is required to exploit this flaw.

Root Cause

The root cause is insufficient input validation in the SOAPAction header parsing code. When the parser encounters a malformed SOAPAction header with a single quote character, the length calculation produces a negative result. This negative value is then passed as an unsigned size parameter to memchr(), causing it to interpret the value as a very large positive number and scan memory well beyond the intended buffer boundaries.

Attack Vector

An attacker on the adjacent network can craft a malicious HTTP request containing a SOAPAction header with only a single quote character. When miniupnpd processes this request, the integer underflow triggers memchr() to perform an out-of-bounds memory scan. This can result in:

  1. Denial of Service: The process may crash when accessing unmapped memory regions
  2. Information Disclosure: Memory contents beyond the HTTP buffer may be exposed in error responses or logs

The attack requires adjacent network access, as UPnP services are typically not exposed to the internet. However, many consumer routers and IoT devices run miniupnpd by default, creating a large attack surface on local networks.

Detection Methods for CVE-2026-5720

Indicators of Compromise

  • Unusual miniupnpd process crashes or restarts without clear cause
  • Malformed HTTP requests to UPnP ports (1900, 5000) containing single-quote SOAPAction headers
  • Memory access violations or segmentation faults in miniupnpd logs
  • Unexpected network traffic patterns targeting UPnP services from internal hosts

Detection Strategies

  • Monitor for HTTP requests to UPnP services containing malformed or unusually short SOAPAction headers
  • Implement network intrusion detection rules to identify SOAPAction headers with only quote characters
  • Configure process monitoring to alert on repeated miniupnpd crashes or abnormal restarts
  • Deploy endpoint detection to identify exploitation attempts targeting UPnP parsing functions

Monitoring Recommendations

  • Enable verbose logging on miniupnpd to capture malformed request details
  • Set up automated alerts for miniupnpd service interruptions
  • Monitor system logs for segmentation faults or memory access violations related to miniupnpd
  • Implement network segmentation monitoring to detect lateral movement following UPnP exploitation

How to Mitigate CVE-2026-5720

Immediate Actions Required

  • Update miniupnpd to version 2.3.10 or later immediately
  • Disable UPnP services on devices where the feature is not required
  • Implement network segmentation to limit exposure of UPnP-enabled devices
  • Apply firewall rules to restrict access to UPnP ports from untrusted network segments

Patch Information

The miniupnpd development team has released version 2.3.10 to address this vulnerability. The fix implements proper bounds checking in the SOAPAction header parsing logic to prevent integer underflow conditions. The patch is available through the GitHub MiniUPnP Repository and the specific security commit.

The changelog confirms the fix:

text
 $Id: Changelog.txt,v 1.535 2025/04/26 13:07:53 nanard Exp $
 
+VERSION 2.3.9 : released on 2026/03/24
+
 2026/03/24:
   fix missing fclose and potential double free in option file parsing

Source: GitHub MiniUPnP Commit

The version update to 2.3.10 is reflected in the project documentation:

text
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER         = 2.3.9
+PROJECT_NUMBER         = 2.3.10
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

Source: GitHub MiniUPnP Commit

For additional technical details, refer to the VulnCheck Advisory on MiniUPnPd.

Workarounds

  • Disable UPnP functionality entirely if not required for network operations
  • Configure firewall rules to block external access to UPnP ports (UDP 1900, TCP 5000)
  • Implement network access controls to restrict which devices can communicate with UPnP services
  • Consider deploying a reverse proxy or application firewall to filter malformed SOAPAction headers
bash
# Firewall rules to restrict UPnP access (iptables example)
# Block external access to SSDP discovery port
iptables -A INPUT -p udp --dport 1900 -i eth0 -j DROP

# Block external access to UPnP SOAP port
iptables -A INPUT -p tcp --dport 5000 -i eth0 -j DROP

# Allow only trusted internal network segments
iptables -A INPUT -p udp --dport 1900 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -s 192.168.1.0/24 -j ACCEPT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.