CVE-2026-3945
Integer Overflow in tinyproxy HTTP Parser Causes DoS
Publication date: 2026-03-30
Last updated on: 2026-03-30
Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tinyproxy | tinyproxy | to 1.11.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3945 is an integer overflow vulnerability in the HTTP chunked transfer encoding parser of the Tinyproxy software up to version 1.11.3. The vulnerability occurs because the chunk size values are parsed using the function strtol() without properly validating overflow conditions. Specifically, very large chunk sizes, such as 0x7fffffffffffffff (LONG_MAX), bypass existing checks and cause a signed integer overflow during arithmetic operations. This leads to incorrect size calculations, causing the proxy to attempt reading an extremely large amount of data and holding worker connections open indefinitely.
An unauthenticated remote attacker can exploit this flaw by sending specially crafted chunked HTTP requests with malicious chunk sizes. This causes the proxy to exhaust all available worker slots, preventing new connections from being accepted and resulting in a denial of service (DoS).
The issue was addressed in the Tinyproxy source code by adding strict boundary checks on the chunk length to ensure it is neither negative nor excessively large (greater than 0x0fffffff). This prevents integer overflow and mitigates the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Tinyproxy allows an unauthenticated remote attacker to cause a denial of service (DoS) by exhausting worker connections, leading to complete service unavailability.
While the CVE description and resources detail the technical impact and mitigation of the vulnerability, there is no direct information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can be exploited remotely by an unauthenticated attacker to cause a denial of service (DoS) on the Tinyproxy server. By sending maliciously crafted HTTP chunked requests with oversized chunk sizes, the attacker can trigger an integer overflow that causes the proxy to miscalculate the amount of data to read.
As a result, the proxy holds worker connections open indefinitely, exhausting all available worker slots. This prevents new client connections from being accepted, leading to complete service unavailability.
In practical terms, this means that legitimate users will be unable to use the proxy service while the attack is ongoing, potentially disrupting business operations or access to network resources.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an integer overflow in the HTTP chunked transfer encoding parser of Tinyproxy, which can be triggered by sending crafted HTTP requests with extremely large chunk size values.
To detect exploitation attempts on your network or system, you can monitor HTTP traffic for suspicious chunked transfer encoding headers containing unusually large chunk size values, such as values close to or exceeding 0x0fffffff or the maximum LONG_MAX (0x7fffffffffffffff).
While no specific detection commands are provided in the resources, you can use network traffic analysis tools like tcpdump or Wireshark to capture HTTP requests and filter for chunked transfer encoding with large chunk sizes.
- Example tcpdump command to capture HTTP traffic on port 8888 (default Tinyproxy port): tcpdump -i any -s 0 -A 'tcp port 8888 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
- Use grep or similar tools to search captured traffic for chunk size headers with suspiciously large hexadecimal values.
Additionally, reviewing Tinyproxy logs for worker connections that remain open indefinitely or an exhaustion of worker slots may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official patch that enforces strict validation of chunk size values in Tinyproxy's chunked transfer encoding parser.
Specifically, update the Tinyproxy source code to include the boundary check that rejects chunk lengths that are negative or exceed 0x0fffffff, as introduced in commit bb7edc4.
If upgrading or patching is not immediately possible, consider restricting or filtering incoming HTTP requests with suspiciously large chunk sizes at the network perimeter using a web application firewall (WAF) or proxy rules.
Monitor and limit the number of worker connections to prevent exhaustion from malformed requests.
Finally, upgrade Tinyproxy to a version that includes the fix once it is officially released, as the latest stable release 1.11.3 remains affected.