CVE-2026-45352
Modified Modified - Updated After Analysis
Negative Chunk-Size Memory Allocation in cpp-httplib

Publication date: 2026-05-29

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (Β§7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul("-2", …, 16) returns ULONG_MAX βˆ’ 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONG_MAX (the result of "-1"), but any other negative value such as "-2" passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-02
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45352
EUVD
EUVD-2026-33425
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yhirose cpp-httplib to 0.43.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-1285 The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability primarily impacts the availability of systems using the vulnerable cpp-httplib versions. An attacker can remotely cause the server to consume excessive memory and crash, resulting in a Denial of Service (DoS). This means legitimate users may be unable to access the affected service while the server is down or recovering.

Executive Summary

CVE-2026-45352 is a Denial of Service (DoS) vulnerability in the cpp-httplib library versions up to 0.43.3. It occurs because the library improperly validates the chunk-size field in HTTP chunked Transfer-Encoding. Specifically, when a negative chunk-size like "-2" is provided, the std::strtoul() function interprets it as a very large unsigned number due to unsigned wrap-around. The library only rejects the value corresponding to "-1" but accepts other negative values, causing it to allocate an excessive amount of memory while reading the chunk. This leads to an out-of-memory condition and crashes the server process.

The vulnerability can be exploited remotely without authentication by sending a malicious HTTP POST request with a negative chunk-size, causing the server to hang and eventually crash.

Detection Guidance

This vulnerability can be detected by monitoring for unusual HTTP requests containing malformed chunked Transfer-Encoding headers with negative chunk sizes, such as "-2".

One way to detect exploitation attempts is to capture and analyze HTTP traffic for chunk-size fields that contain negative values or unexpected characters.

  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests with chunked Transfer-Encoding headers.
  • Example tcpdump command to capture HTTP traffic on port 80: tcpdump -i any -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Use grep or similar tools on captured logs to search for chunk-size values starting with a minus sign, e.g., grep -i 'chunked' access.log | grep -- '-[0-9]'

Additionally, monitoring server logs for crashes or out-of-memory errors related to the HTTP server process may indicate exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade the cpp-httplib library to version 0.43.4 or later, where this vulnerability is fixed.

Until an upgrade is possible, consider implementing input validation or filtering at the network or application layer to reject HTTP requests with negative chunk sizes in the Transfer-Encoding header.

Additionally, monitor your systems for signs of denial-of-service conditions and apply rate limiting or firewall rules to block suspicious traffic patterns.

Compliance Impact

This vulnerability causes a Denial of Service (DoS) condition by allowing unbounded memory allocation and process crash when processing malformed HTTP chunked transfer encoding. The primary impact is reduced availability of the affected service.

Reduced availability due to DoS can affect compliance with standards like GDPR and HIPAA, which require maintaining availability and integrity of systems processing sensitive data. However, the vulnerability does not directly impact confidentiality or integrity.

Therefore, while this vulnerability may pose a risk to service availability, it does not directly cause data breaches or unauthorized access that would violate these regulations. Organizations should consider the availability impact in their risk assessments and mitigation plans to maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45352. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart