{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5720", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-06T20:18:57.634Z", "datePublished": "2026-04-17T21:39:54.818Z", "dateUpdated": "2026-04-17T21:39:54.818Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-17T21:39:54.818Z"}, "title": "miniupnpd Integer Underflow SOAPAction Header Parsing", "datePublic": "2026-04-17T22:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-191", "description": "CWE-191: Integer Underflow (Wrap or Wraparound)", "type": "CWE"}, {"lang": "en", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "affected": [{"vendor": "miniupnp project", "product": "miniupnpd", "versions": [{"status": "affected", "version": "0", "lessThan": "2.3.10", "versionType": "semver"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPAction header with a single quote. Attackers can trigger an out-of-bounds memory read by exploiting improper length validation in ParseHttpHeaders(), where the parsed length underflows to a large unsigned value when passed to memchr(), causing the process to scan memory far beyond the allocated HTTP request buffer.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPAction header with a single quote. Attackers can trigger an out-of-bounds memory read by exploiting improper length validation in ParseHttpHeaders(), where the parsed length underflows to a large unsigned value when passed to memchr(), causing the process to scan memory far beyond the allocated HTTP request buffer.</p>"}]}], "references": [{"url": "https://github.com/miniupnp/miniupnp/", "tags": ["product"]}, {"url": "https://github.com/miniupnp/miniupnp/commit/a0ee71e9fa66b60052bb3d2cf84380b79db3f8c8"}, {"url": "https://www.vulncheck.com/advisories/miniupnpd-integer-underflow-soapaction-header-parsing", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Kazuma Matsumoto", "type": "finder"}], "source": {"discovery": "EXTERNAL"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPAction header with a single quote. Attackers can trigger an out-of-bounds memory read by exploiting improper length validation in ParseHttpHeaders(), where the parsed length underflows to a large unsigned value when passed to memchr(), causing the process to scan memory far beyond the allocated HTTP request buffer."}], "id": "CVE-2026-5720", "lastModified": "2026-04-17T22:16:33.803", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-17T22:16:33.803", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/miniupnp/miniupnp/"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/miniupnp/miniupnp/commit/a0ee71e9fa66b60052bb3d2cf84380b79db3f8c8"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/miniupnpd-integer-underflow-soapaction-header-parsing"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-191"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "miniupnpd", "source": "cna", "vendor": "miniupnp project"}, "product": "miniupnpd", "vendor": "miniupnp_project"}], "analysis": {"en": {"generated_at": "2026-04-18T08:53:28.057806+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest miniupnpd release that incorporates the fix for the integer underflow in ParseHttpHeaders().", "If an immediate upgrade is not possible, replace the vulnerable ParseHttpHeaders() function with the patched code from the commit referenced in the advisories.", "Verify that the SOAPAction header is now validated correctly and that out\u2011of\u2011bounds reads can no longer occur."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service and Information Disclosure"}, "threat_synthesis": {"affected_systems": "Products affected by this vulnerability are the miniupnp project\u2019s miniupnpd daemon. No specific version information is provided in the CNA data, so all installed builds of miniupnpd remain potentially vulnerable until the patch is applied.", "description_and_impact": "The vulnerability is an integer underflow in SOAPAction header parsing within the ParseHttpHeaders() routine of miniupnpd. When a specially crafted SOAPAction header containing a single quote is processed, the measured length underflows, yielding a large unsigned value that is used by memchr(). This causes the routine to scan far beyond the allocated HTTP request buffer, potentially leading to an out\u2011of\u2011bounds read. The resulting denial of service or accidental disclosure of memory contents demonstrates the severity of the flaw, consistent with CWE\u2011125 (Out\u2011of\u2011Bounds Read) and CWE\u2011191 (Signed/Unsigned Conversion Errors).", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high impact, and the lack of EPSS data implies no quantifiable probability yet. Because the fault is triggered by a malformed HTTP header, an attacker only needs network access to target a running miniupnpd instance; no additional privileges are required. The flaw is not catalogued by CISA KEV at present, but the potential for remote denial of service and information disclosure warrants prompt attention."}}}}, "created": "2026-04-17T23:15:30.662258+00:00", "updated": "2026-04-18T09:00:05.896623+00:00", "vendors": ["miniupnp_project", "miniupnp_project$PRODUCT$miniupnpd"]}