Skip to main content

Miniupnpd EUVDEUVD-2026-23565

| CVE-2026-5720 HIGH
Integer Underflow (CWE-191)
2026-04-17 VulnCheck
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
Apr 20, 2026 - 19:05 nvd
Patch available
Re-analysis Queued
Apr 20, 2026 - 17:52 vuln.today
cvss_changed
Analysis Generated
Apr 18, 2026 - 00:19 vuln.today
Patch available
Apr 17, 2026 - 22:16 EUVD
EUVD ID Assigned
Apr 17, 2026 - 21:45 euvd
EUVD-2026-23565
Analysis Generated
Apr 17, 2026 - 21:45 vuln.today
CVE Published
Apr 17, 2026 - 21:39 nvd
HIGH 7.1

DescriptionCVE.org

miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPAction header with a single quote. Attackers can trigger an out-of-bounds memory read by exploiting improper length validation in ParseHttpHeaders(), where the parsed length underflows to a large unsigned value when passed to memchr(), causing the process to scan memory far beyond the allocated HTTP request buffer.

AnalysisAI

Integer underflow in miniupnpd's SOAPAction header parser triggers out-of-bounds memory reads, enabling adjacent network attackers to crash UPnP-enabled routers or leak sensitive memory contents without authentication. Affects miniupnpd versions prior to 2.3.10. Vendor patch available via commit a0ee71e9fa66. CVSS 7.1 with adjacent network vector (AV:A) indicates attackers must be on the same local network segment as the vulnerable device. No active exploitation confirmed in CISA KEV at time of analysis.

Technical ContextAI

Miniupnpd is a lightweight UPnP Internet Gateway Device (IGD) daemon commonly embedded in home routers and network appliances to enable automatic port forwarding. The vulnerability (CWE-191: Integer Underflow) resides in ParseHttpHeaders() where SOAPAction header processing fails to validate string length before arithmetic operations. When a malformed header contains only a single quote character, the length calculation underflows from a small positive integer to a large unsigned value (typically wrapping to values near UINT_MAX). This underflowed length is then passed to memchr() as a bounds parameter, causing the memory scanning function to read far beyond the allocated HTTP request buffer into adjacent heap or stack memory regions. The CVSS 4.0 vector confirms Adjacent Network attack vector (AV:A), meaning exploitation requires Layer 2 network proximity-attackers must be on the same LAN segment or WiFi network as the vulnerable UPnP service, which typically listens on TCP port 5000 or other non-standard ports on the internal interface.

RemediationAI

Upgrade miniupnpd to version 2.3.10 or later, which contains the fix committed in a0ee71e9fa66b60052bb3d2cf84380b79db3f8c8 available at https://github.com/miniupnp/miniupnp/commit/a0ee71e9fa66b60052bb3d2cf84380b79db3f8c8. For embedded devices running miniupnpd as part of vendor firmware, check manufacturer security bulletins for updated firmware releases incorporating the patched miniupnpd version-note that OEM patch cycles may lag upstream releases by weeks or months. If immediate patching is not feasible, implement compensating controls: (1) Disable UPnP IGD functionality entirely if automatic port forwarding is not required (eliminates attack surface but breaks applications relying on UPnP port mapping); (2) Restrict miniupnpd to bind only on trusted internal interfaces and ensure it is not exposed to guest WiFi networks or DMZ segments (reduces attacker proximity requirement but does not prevent exploitation from compromised internal clients); (3) Deploy network segmentation with VLANs to isolate IoT/UPnP-enabled devices from critical network segments (limits lateral movement post-exploitation but adds management overhead). For internet-facing deployments (non-standard configurations), immediately firewall block external access to UPnP ports as adjacent-network vulnerability becomes remotely exploitable if service is internet-accessible. Monitor for abnormal miniupnpd process crashes or restart loops as potential exploitation indicators.

CVE-2013-0230 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP

CVE-2013-0229 HIGH POC
7.8 Jan 31

The ProcessSSDPRequest function in minissdp.c in the SSDP handler in MiniUPnP MiniUPnPd before 1.4 allows remote attacke

CVE-2017-8798 CRITICAL POC
9.8 May 11

Integer signedness error in MiniUPnP MiniUPnPc v1.4.20101221 through v2.0 allows remote attackers to cause a denial of s

CVE-2019-12111 HIGH POC
7.5 May 15

A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer dereference in copyIPv6

CVE-2019-12110 HIGH POC
7.5 May 15

An AddPortMapping Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer derefer

CVE-2019-12109 HIGH POC
7.5 May 15

A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer dereference in GetOutbo

CVE-2019-12108 HIGH POC
7.5 May 15

A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer dereference in GetOutbo

CVE-2019-12107 HIGH POC
7.5 May 15

The upnp_event_prepare function in upnpevents.c in MiniUPnP MiniUPnPd through 2.1 allows a remote attacker to leak infor

CVE-2019-12106 HIGH POC
7.5 May 15

The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and 1.5 allows a remote attacker to crash the process

CVE-2013-1462 HIGH
7.8 Jan 31

Integer signedness error in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP Min

CVE-2013-1461 HIGH
7.8 Jan 31

The ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote att

Share

EUVD-2026-23565 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy