CVE-2026-12200
Received Received - Intake
Stack-Based Buffer Overflow in Ritlabs TinyWeb Server

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulDB

Description
A security vulnerability has been detected in Ritlabs TinyWeb Server up to 1.94 on Win32. This impacts an unknown function in the library libeay32.dll.html of the component Header Handler. The manipulation of the argument Authorization leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-12200
EUVD
EUVD-2026-36675
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ritlabs tinyweb_server to 1.94 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12200 is a stack-based buffer overflow vulnerability found in Ritlabs TinyWeb Server up to version 1.94 on Win32 systems. It occurs in the handling of the Authorization header within the component Header Handler, specifically involving the library libeay32.dll. An attacker can remotely manipulate the Authorization argument to overflow a 692-byte buffer.

The exploit involves crafting a payload with precise padding and return addresses to bypass security mechanisms like ASLR and DEP by using a Return-Oriented Programming (ROP) chain. This chain redirects execution to the stack, where a custom decoder manipulates the stack pointer and writes shellcode into memory. An egghunter then searches for the shellcode on the heap to execute a payload, such as launching calc.exe.

Impact Analysis

This vulnerability allows a remote attacker to execute arbitrary code on the affected system by exploiting the stack-based buffer overflow in the Authorization header processing. Successful exploitation can lead to unauthorized code execution, potentially compromising the server and allowing the attacker to run malicious payloads.

Because the exploit bypasses common protections like ASLR and DEP, it is reliable on certain Windows 10 (32-bit) systems with specific DLL versions. This can result in system compromise, data theft, or further attacks launched from the compromised server.

Detection Guidance

This vulnerability involves a stack-based buffer overflow triggered by a specially crafted Authorization header in HTTP requests to the TinyWeb server.

Detection can focus on monitoring network traffic for unusually large or suspicious Authorization headers, especially those approaching or exceeding 692 bytes in length.

Commands or tools to detect this might include using network packet capture and analysis tools such as tcpdump or Wireshark to filter HTTP requests with large Authorization headers.

  • tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i Authorization
  • Use Wireshark to filter HTTP requests with Authorization headers and inspect their length and content for suspicious Base64 payloads.

Additionally, monitoring for unexpected process behavior or crashes of the TinyWeb server could indicate exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting or blocking incoming HTTP requests with Authorization headers exceeding normal length limits to prevent buffer overflow attempts.

If possible, disable or restrict access to the TinyWeb server until a patch or update is available, as the vendor has not responded to the disclosure.

Implement network-level protections such as Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) to detect and block exploit attempts targeting this vulnerability.

Monitor server logs for unusual Authorization header usage and crashes, and consider isolating affected systems to limit potential damage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12200. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart