CVE-2026-3945
Published: 30 March 2026
Summary
CVE-2026-3945 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-3945 is an integer overflow vulnerability in the HTTP chunked transfer encoding parser of tinyproxy, affecting all versions up to and including the latest stable release 1.11.3. The flaw arises because chunk size values are parsed using strtol() without properly checking for overflow conditions, such as errno == ERANGE. A crafted chunk size like 0x7fffffffffffffff (LONG_MAX) evades the existing validation (chunklen < 0), triggering a signed integer overflow during subsequent arithmetic like chunklen + 2. This leads to incorrect size calculations, causing the proxy to attempt reading an impractically large amount of request-body data.
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By sending a malicious HTTP request with the oversized chunk size, the attacker forces the proxy to hold worker connections open indefinitely while waiting for non-existent data. Repeated exploitation exhausts all available worker slots, preventing the proxy from accepting new connections and resulting in a complete denial of service.
Upstream developers addressed the issue in commit bb7edc4, with related discussion in GitHub issue #602 and pull request #603. However, the fix has not yet been incorporated into a stable release, leaving version 1.11.3 vulnerable. Security practitioners should monitor the tinyproxy releases page for an updated version and consider applying the commit manually or using a forked build in the interim.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17066
Vulnerability details
An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service (DoS). The issue occurs because chunk size values are parsed…
more
using strtol() without properly validating overflow conditions (e.g., errno == ERANGE). A crafted chunk size such as 0x7fffffffffffffff (LONG_MAX) bypasses the existing validation check (chunklen < 0), leading to a signed integer overflow during arithmetic operations (chunklen + 2). This results in incorrect size calculations, causing the proxy to attempt reading an extremely large amount of request-body data and holding worker connections open indefinitely. An attacker can exploit this behavior to exhaust all available worker slots, preventing new connections from being accepted and causing complete service unavailability. Upstream addressed this issue in commit bb7edc4; however, the latest stable release (1.11.3) remains affected at the time of publication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow in public-facing tinyproxy HTTP parser directly enables remote unauthenticated exploitation (T1190) that triggers worker connection exhaustion and service DoS (T1499.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires identification, reporting, and correction of the integer overflow flaw in tinyproxy's chunked transfer parser, enabling patching with the upstream fix.
Mandates validation of HTTP chunk size inputs to detect and reject oversized values like LONG_MAX that trigger integer overflows.
Enforces denial-of-service protections at proxy entry points to limit connection exhaustion from malicious oversized chunked requests.