CVE-2026-2940
Published: 22 February 2026
Summary
CVE-2026-2940 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-39 (Process Isolation).
Deeper analysis
CVE-2026-2940 is an out-of-bounds write vulnerability (CWE-119, CWE-787) in the URL Handler component of Zaher1307's tiny_web_server, specifically within the function in the file tiny_web_server/tiny.c. It affects the software up to commit 8d77b1044a0ca3a5297d8726ac8aa2cf944d481b. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-02-22.
The vulnerability enables remote exploitation without authentication or user interaction. Attackers can trigger the out-of-bounds write by manipulating requests to the affected URL handler, potentially resulting in limited impacts to confidentiality, integrity, and availability as per the CVSS metrics.
Advisories note that the project employs continuous delivery with rolling releases, providing no specific details on affected or updated versions. The issue was reported early to the project via GitHub issue #1, but developers have not responded. An exploit has been publicly disclosed and may be utilized, with further details available in the GitHub repository at https://github.com/Zaher1307/tiny_web_server/ and VULDB entries at https://vuldb.com/?ctiid.347312 and https://vuldb.com/?id.347312.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7550
Vulnerability details
A vulnerability was determined in Zaher1307 tiny_web_server up to 8d77b1044a0ca3a5297d8726ac8aa2cf944d481b. This affects the function tiny_web_server/tiny.c of the file tiny_web_server/tiny.c of the component URL Handler. This manipulation causes out-of-bounds write. The attack can be initiated remotely. The exploit has been publicly…
more
disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in unauthenticated URL handler of public-facing web server directly enables remote exploitation of the application per T1190; limited C/I/A impacts and lack of specified RCE or post-exploitation primitives preclude additional technique mappings.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of URL handler inputs to block the malformed requests that trigger the out-of-bounds write in tiny.c.
Applies memory protections that can contain or block the effects of the out-of-bounds write before it corrupts adjacent structures.
Isolates the web-server process so that a successful out-of-bounds write cannot affect other system components or escalate impact.