CVE-2026-5720

Name
CVE-2026-5720
Description
miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPAction header with a single quote. Attackers can trigger an out-of-bounds memory read by exploiting improper length validation in ParseHttpHeaders(), where the parsed length underflows to a large unsigned value when passed to memchr(), causing the process to scan memory far beyond the allocated HTTP request buffer.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
disclosure@vulncheck.com https://github.com/miniupnp/miniupnp/
disclosure@vulncheck.com https://github.com/miniupnp/miniupnp/commit/a0ee71e9fa66b60052bb3d2cf84380b79db3f8c8
disclosure@vulncheck.com https://www.vulncheck.com/advisories/miniupnpd-integer-underflow-soapaction-header-parsing
disclosure@vulncheck.com https://github.com/miniupnp/miniupnp/commit/b5e5d2eb069822b7f00d56c8e61033b9d500e60c
disclosure@vulncheck.com https://github.com/miniupnp/miniupnp/commit/f56bd09b2f2650126b832c5f30a65a09e28167fa

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:miniupnp_project:miniupnpd:*:*:*:*:*:*:*:* miniupnpd >= None < 2.3.10

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
miniupnpd edge-community 2.3.10-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
miniupnpd edge-community 2.3.9-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
miniupnpd edge-community 2.3.7-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
miniupnpd edge-community 2.2.2-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
miniupnpd 3.23-community 2.3.9-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable