Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPAction header with a single quote. Attackers can trigger an out-of-bounds memory read by exploiting improper length validation in ParseHttpHeaders(), where the parsed length underflows to a large unsigned value when passed to memchr(), causing the process to scan memory far beyond the allocated HTTP request buffer.
AnalysisAI
Integer underflow in miniupnpd's SOAPAction header parser triggers out-of-bounds memory reads, enabling adjacent network attackers to crash UPnP-enabled routers or leak sensitive memory contents without authentication. Affects miniupnpd versions prior to 2.3.10. Vendor patch available via commit a0ee71e9fa66. CVSS 7.1 with adjacent network vector (AV:A) indicates attackers must be on the same local network segment as the vulnerable device. No active exploitation confirmed in CISA KEV at time of analysis.
Technical ContextAI
Miniupnpd is a lightweight UPnP Internet Gateway Device (IGD) daemon commonly embedded in home routers and network appliances to enable automatic port forwarding. The vulnerability (CWE-191: Integer Underflow) resides in ParseHttpHeaders() where SOAPAction header processing fails to validate string length before arithmetic operations. When a malformed header contains only a single quote character, the length calculation underflows from a small positive integer to a large unsigned value (typically wrapping to values near UINT_MAX). This underflowed length is then passed to memchr() as a bounds parameter, causing the memory scanning function to read far beyond the allocated HTTP request buffer into adjacent heap or stack memory regions. The CVSS 4.0 vector confirms Adjacent Network attack vector (AV:A), meaning exploitation requires Layer 2 network proximity-attackers must be on the same LAN segment or WiFi network as the vulnerable UPnP service, which typically listens on TCP port 5000 or other non-standard ports on the internal interface.
RemediationAI
Upgrade miniupnpd to version 2.3.10 or later, which contains the fix committed in a0ee71e9fa66b60052bb3d2cf84380b79db3f8c8 available at https://github.com/miniupnp/miniupnp/commit/a0ee71e9fa66b60052bb3d2cf84380b79db3f8c8. For embedded devices running miniupnpd as part of vendor firmware, check manufacturer security bulletins for updated firmware releases incorporating the patched miniupnpd version-note that OEM patch cycles may lag upstream releases by weeks or months. If immediate patching is not feasible, implement compensating controls: (1) Disable UPnP IGD functionality entirely if automatic port forwarding is not required (eliminates attack surface but breaks applications relying on UPnP port mapping); (2) Restrict miniupnpd to bind only on trusted internal interfaces and ensure it is not exposed to guest WiFi networks or DMZ segments (reduces attacker proximity requirement but does not prevent exploitation from compromised internal clients); (3) Deploy network segmentation with VLANs to isolate IoT/UPnP-enabled devices from critical network segments (limits lateral movement post-exploitation but adds management overhead). For internet-facing deployments (non-standard configurations), immediately firewall block external access to UPnP ports as adjacent-network vulnerability becomes remotely exploitable if service is internet-accessible. Monitor for abnormal miniupnpd process crashes or restart loops as potential exploitation indicators.
Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP
The ProcessSSDPRequest function in minissdp.c in the SSDP handler in MiniUPnP MiniUPnPd before 1.4 allows remote attacke
Integer signedness error in MiniUPnP MiniUPnPc v1.4.20101221 through v2.0 allows remote attackers to cause a denial of s
A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer dereference in copyIPv6
An AddPortMapping Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer derefer
A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer dereference in GetOutbo
A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer dereference in GetOutbo
The upnp_event_prepare function in upnpevents.c in MiniUPnP MiniUPnPd through 2.1 allows a remote attacker to leak infor
The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and 1.5 allows a remote attacker to crash the process
Integer signedness error in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP Min
The ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote att
Same weakness CWE-191 – Integer Underflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23565