UBUNTU-CVE-2026-45352

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-45352
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45352.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-45352
Upstream
  • CVE-2026-45352
Published
2026-05-29T20:16:00Z
Modified
2026-06-03T11:25:23Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::readpayload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul("-2", …, 16) returns ULONGMAX − 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONGMAX (the result of "-1"), but any other negative value such as "-2" passes validation. The resulting near-maximum value is stored in chunkremaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4.

References

Affected packages

Ubuntu:Pro:22.04:LTS / cpp-httplib

Package

Name
cpp-httplib
Purl
pkg:deb/ubuntu/cpp-httplib?arch=source&distro=esm-apps%2Fjammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.9.9+ds-1
0.9.10+ds-1
0.10.1+ds-1
0.10.2+ds-1
0.10.3+ds-1
0.10.3+ds-1ubuntu0.1~esm1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "libcpp-httplib0",
            "binary_version": "0.10.3+ds-1ubuntu0.1~esm1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45352.json"

Ubuntu:Pro:24.04:LTS / cpp-httplib

Package

Name
cpp-httplib
Purl
pkg:deb/ubuntu/cpp-httplib?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.13.1+ds-1ubuntu1
0.14.3+ds-1
0.14.3+ds-1.1
0.14.3+ds-1.1build1
0.14.3+ds-1.1build2
0.14.3+ds-1.1ubuntu0.1~esm1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "libcpp-httplib0.14t64",
            "binary_version": "0.14.3+ds-1.1ubuntu0.1~esm1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45352.json"

Ubuntu:25.10 / cpp-httplib

Package

Name
cpp-httplib
Purl
pkg:deb/ubuntu/cpp-httplib?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.18.7-1
0.18.7-1ubuntu0.25.10.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "libcpp-httplib0.18",
            "binary_version": "0.18.7-1ubuntu0.25.10.1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45352.json"

Ubuntu:26.04:LTS / cpp-httplib

Package

Name
cpp-httplib
Purl
pkg:deb/ubuntu/cpp-httplib?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.18.7-1
0.26.0+ds-2ubuntu2
0.26.0+ds-2ubuntu3

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "libcpp-httplib0.26",
            "binary_version": "0.26.0+ds-2ubuntu3"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45352.json"