Vulnerability Description
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Espressif | Arduino-Esp32 | < 3.3.8 |
Related Weaknesses (CWE)
References
- https://github.com/espressif/arduino-esp32/security/advisories/GHSA-8cmm-3887-r3ExploitVendor Advisory
- https://github.com/espressif/arduino-esp32/security/advisories/GHSA-8cmm-3887-r3ExploitVendor Advisory
FAQ
What is CVE-2026-42854?
CVE-2026-42854 is a vulnerability with a CVSS score of 9.8 (CRITICAL). arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a V...
How severe is CVE-2026-42854?
CVE-2026-42854 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-42854?
Check the references section above for vendor advisories and patch information. Affected products include: Espressif Arduino-Esp32.