CVE-2026-2940
Published: 22 February 2026
Summary
CVE-2026-2940 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.
Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.
Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.
Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in unauthenticated URL handler of public-facing web server directly enables remote exploitation of the application per T1190; limited C/I/A impacts and lack of specified RCE or post-exploitation primitives preclude additional technique mappings.
NVD Description
A vulnerability was determined in Zaher1307 tiny_web_server up to 8d77b1044a0ca3a5297d8726ac8aa2cf944d481b. This affects the function tiny_web_server/tiny.c of the file tiny_web_server/tiny.c of the component URL Handler. This manipulation causes out-of-bounds write. The attack can be initiated remotely. The exploit has been publicly…
more
disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-2940 is an out-of-bounds write vulnerability (CWE-119, CWE-787) in the URL Handler component of Zaher1307's tiny_web_server, specifically within the function in the file tiny_web_server/tiny.c. It affects the software up to commit 8d77b1044a0ca3a5297d8726ac8aa2cf944d481b. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-02-22.
The vulnerability enables remote exploitation without authentication or user interaction. Attackers can trigger the out-of-bounds write by manipulating requests to the affected URL handler, potentially resulting in limited impacts to confidentiality, integrity, and availability as per the CVSS metrics.
Advisories note that the project employs continuous delivery with rolling releases, providing no specific details on affected or updated versions. The issue was reported early to the project via GitHub issue #1, but developers have not responded. An exploit has been publicly disclosed and may be utilized, with further details available in the GitHub repository at https://github.com/Zaher1307/tiny_web_server/ and VULDB entries at https://vuldb.com/?ctiid.347312 and https://vuldb.com/?id.347312.
Details
- CWE(s)