CVE-2026-45352
Negative Chunk-Size Memory Allocation in cpp-httplib
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cpp-httplib | cpp-httplib | to 0.43.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-1285 | The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45352 is a Denial of Service (DoS) vulnerability in the cpp-httplib library versions up to 0.43.3. It occurs because the library improperly validates the chunk-size field in HTTP chunked Transfer-Encoding. Specifically, when a negative chunk-size like "-2" is provided, the std::strtoul() function interprets it as a very large unsigned number due to unsigned wrap-around. The library only rejects the value corresponding to "-1" but accepts other negative values, causing it to allocate an excessive amount of memory while reading the chunk. This leads to an out-of-memory condition and crashes the server process.
The vulnerability can be exploited remotely without authentication by sending a malicious HTTP POST request with a negative chunk-size, causing the server to hang and eventually crash.
How can this vulnerability impact me? :
This vulnerability primarily impacts the availability of systems using the vulnerable cpp-httplib versions. An attacker can remotely cause the server to consume excessive memory and crash, resulting in a Denial of Service (DoS). This means legitimate users may be unable to access the affected service while the server is down or recovering.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual HTTP requests containing malformed chunked Transfer-Encoding headers with negative chunk sizes, such as "-2".
One way to detect exploitation attempts is to capture and analyze HTTP traffic for chunk-size fields that contain negative values or unexpected characters.
- Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests with chunked Transfer-Encoding headers.
- Example tcpdump command to capture HTTP traffic on port 80: tcpdump -i any -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
- Use grep or similar tools on captured logs to search for chunk-size values starting with a minus sign, e.g., grep -i 'chunked' access.log | grep -- '-[0-9]'
Additionally, monitoring server logs for crashes or out-of-memory errors related to the HTTP server process may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the cpp-httplib library to version 0.43.4 or later, where this vulnerability is fixed.
Until an upgrade is possible, consider implementing input validation or filtering at the network or application layer to reject HTTP requests with negative chunk sizes in the Transfer-Encoding header.
Additionally, monitor your systems for signs of denial-of-service conditions and apply rate limiting or firewall rules to block suspicious traffic patterns.