CVE-2026-3945 | tinyproxy up to 1.11.3 Chunk strtol integer overflow (EUVD-2026-17066)

VDB-354150 · CVE-2026-3945 · EUVD-2026-17066 TINYPROXY UP TO 1.11.3 CHUNK STRTOL INTEGER OVERFLOW HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.3 $0-$5k 5.31 Summaryinfo A vulnerability was found in tinyproxy up to 1.11.3. It has been declared as problematic. Impacted is the function strtol of the component Chunk Handler. The manipulation results in integer overflow. This vulnerability is known as CVE-2026-3945. It is possible to launch the attack remotely. No exploit is available. It is recommended to upgrade the affected component. Detailsinfo A vulnerability classified as problematic has been found in tinyproxy up to 1.11.3. Affected is the function strtol of the component Chunk Handler. The manipulation with an unknown input leads to a integer overflow vulnerability. CWE is classifying the issue as CWE-190. The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. This is going to have an impact on availability. CVE summarizes: An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service (DoS). The issue occurs because chunk size values are parsed using strtol() without properly validating overflow conditions (e.g., errno == ERANGE). A crafted chunk size such as 0x7fffffffffffffff (LONG_MAX) bypasses the existing validation check (chunklen < 0), leading to a signed integer overflow during arithmetic operations (chunklen + 2). This results in incorrect size calculations, causing the proxy to attempt reading an extremely large amount of request-body data and holding worker connections open indefinitely. An attacker can exploit this behavior to exhaust all available worker slots, preventing new connections from being accepted and causing complete service unavailability. Upstream addressed this issue in commit bb7edc4; however, the latest stable release (1.11.3) remains affected at the time of publication. The weakness was published by Muxammadiyev G'iyosiddin. The advisory is available at github.com. This vulnerability is traded as CVE-2026-3945 since 03/11/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details are known, but there is no available exploit. Upgrading to version 1.11.3 eliminates this vulnerability. The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-17066). Productinfo Type Firewall Software Name tinyproxy Version 1.11.0 1.11.1 1.11.2 1.11.3 Website Product: https://github.com/tinyproxy/tinyproxy/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 6.4 VulDB Meta Temp Score: 6.3 VulDB Base Score: 5.3 VulDB Temp Score: 5.1 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 7.5 CNA Vector (TuranSec): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Integer overflow CWE: CWE-190 / CWE-189 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: tinyproxy 1.11.3 Timelineinfo 03/11/2026 CVE reserved 03/30/2026 +18 days Advisory disclosed 03/30/2026 +0 days VulDB entry created 03/30/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: github.com Researcher: Muxammadiyev G'iyosiddin Status: Confirmed CVE: CVE-2026-3945 (🔒) GCVE (CVE): GCVE-0-2026-3945 GCVE (VulDB): GCVE-100-354150 EUVD: 🔒 Entryinfo Created: 03/30/2026 09:42 Updated: 03/30/2026 12:05 Changes: 03/30/2026 09:42 (77), 03/30/2026 12:05 (1) Complete: 🔍 Cache ID: 99:F30:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸