Cyber Resilience

CVE-2026-3945

High

Published: 30 March 2026

Published
30 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0060 44.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3945 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3945 is an integer overflow vulnerability in the HTTP chunked transfer encoding parser of tinyproxy, affecting all versions up to and including the latest stable release 1.11.3. The flaw arises because chunk size values are parsed using strtol() without properly checking for overflow conditions, such as errno == ERANGE. A crafted chunk size like 0x7fffffffffffffff (LONG_MAX) evades the existing validation (chunklen < 0), triggering a signed integer overflow during subsequent arithmetic like chunklen + 2. This leads to incorrect size calculations, causing the proxy to attempt reading an impractically large amount of request-body data.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By sending a malicious HTTP request with the oversized chunk size, the attacker forces the proxy to hold worker connections open indefinitely while waiting for non-existent data. Repeated exploitation exhausts all available worker slots, preventing the proxy from accepting new connections and resulting in a complete denial of service.

Upstream developers addressed the issue in commit bb7edc4, with related discussion in GitHub issue #602 and pull request #603. However, the fix has not yet been incorporated into a stable release, leaving version 1.11.3 vulnerable. Security practitioners should monitor the tinyproxy releases page for an updated version and consider applying the commit manually or using a forked build in the interim.

EU & UK References

Vulnerability details

An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service (DoS). The issue occurs because chunk size values are parsed…

more

using strtol() without properly validating overflow conditions (e.g., errno == ERANGE). A crafted chunk size such as 0x7fffffffffffffff (LONG_MAX) bypasses the existing validation check (chunklen < 0), leading to a signed integer overflow during arithmetic operations (chunklen + 2). This results in incorrect size calculations, causing the proxy to attempt reading an extremely large amount of request-body data and holding worker connections open indefinitely. An attacker can exploit this behavior to exhaust all available worker slots, preventing new connections from being accepted and causing complete service unavailability. Upstream addressed this issue in commit bb7edc4; however, the latest stable release (1.11.3) remains affected at the time of publication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.002 Service Exhaustion Flood Impact
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).
Why these techniques?

Integer overflow in public-facing tinyproxy HTTP parser directly enables remote unauthenticated exploitation (T1190) that triggers worker connection exhaustion and service DoS (T1499.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-30404Shared CWE-190
CVE-2025-27918Shared CWE-190
CVE-2024-11347Shared CWE-190
CVE-2024-40765Shared CWE-190
CVE-2026-41416Shared CWE-190
CVE-2026-5121Shared CWE-190
CVE-2024-55656Shared CWE-190
CVE-2025-14087Shared CWE-190
CVE-2025-0838Shared CWE-190
CVE-2025-14308Shared CWE-190

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification, reporting, and correction of the integer overflow flaw in tinyproxy's chunked transfer parser, enabling patching with the upstream fix.

prevent

Mandates validation of HTTP chunk size inputs to detect and reject oversized values like LONG_MAX that trigger integer overflows.

prevent

Enforces denial-of-service protections at proxy entry points to limit connection exhaustion from malicious oversized chunked requests.

References