CVE-2026-42854

Name of the Vulnerable Software and Affected Versions arduino-esp32 versions prior to 3.3.8

Description The WebServer multipart form parser allocates a Variable Length Array (VLA)—an array whose size is determined at runtime—on the stack. The size of this array is derived from the boundary parameter within the Content-Type HTTP header field without any length enforcement. An attacker can send a boundary string exceeding approximately 8000 characters to overflow the 8192-byte task stack of the loopTask() function, leading to a system crash and potential remote code execution.

Recommendations Update to version 3.3.8.