yhirose cpp-httplib up to 0.43.3 httplib.h std::strtoul chunk-size denial of service
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.2 | $0-$5k | 0.00 |
Summary
A vulnerability marked as problematic has been reported in yhirose cpp-httplib up to 0.43.3. This issue affects the function std::strtoul in the library httplib.h. Performing a manipulation of the argument chunk-size results in denial of service.
This vulnerability is identified as CVE-2026-45352. The attack can be initiated remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
Details
A vulnerability classified as problematic has been found in yhirose cpp-httplib up to 0.43.3. This affects the function std::strtoul in the library httplib.h. The manipulation of the argument chunk-size with an unknown input leads to a denial of service vulnerability. CWE is classifying the issue as CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. This is going to have an impact on availability. The summary by CVE is:
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul("-2", …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONG_MAX (the result of "-1"), but any other negative value such as "-2" passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4.
It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2026-45352 since 05/11/2026. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1499 according to MITRE ATT&CK.
The vulnerability scanner Nessus provides a plugin with the ID 318020 (Linux Distros Unpatched Vulnerability : CVE-2026-45352), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 0.43.4 eliminates this vulnerability.
The vulnerability is also documented in the vulnerability database at Tenable (318020). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Vendor
Name
Version
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.3VulDB Meta Temp Score: 5.2
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 5.3
CNA Vector (GitHub_M): 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Denial of serviceCWE: CWE-404
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 318020
Nessus Name: Linux Distros Unpatched Vulnerability : CVE-2026-45352
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: cpp-httplib 0.43.4
Timeline
05/11/2026 CVE reserved05/29/2026 Advisory disclosed
05/29/2026 VulDB entry created
06/01/2026 VulDB entry last update
Sources
Product: github.comAdvisory: github.com
Status: Confirmed
CVE: CVE-2026-45352 (🔒)
GCVE (CVE): GCVE-0-2026-45352
GCVE (VulDB): GCVE-100-367371
Entry
Created: 05/29/2026 21:51Updated: 06/01/2026 02:37
Changes: 05/29/2026 21:51 (66), 06/01/2026 02:37 (2)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.