CVE-2026-28525 is an integer underflow vulnerability (CWE-191) in the multipart upload parser of SWUpdate, specifically in the mg_http_multipart_continue_wait_for_chunk() function within mongoose_multipart.c. When processing a malformed multipart boundary in an HTTP POST request to /upload, the function can underflow the buffer length, causing an out-of-bounds heap read and subsequent write beyond the allocated receive buffer to a local IPC socket. This vulnerability allows unauthenticated attackers to cause a denial of service by crashing or destabilizing the application. The CVSS 4.0 score is 8.2, reflecting high severity with network attack vector, high attack complexity, no privileges or user interaction required, and high impact on availability. No patch or official remediation is currently documented, and the product is not a cloud service, so remediation depends on vendor updates.

Successful exploitation leads to denial of service by causing out-of-bounds memory access and heap corruption in SWUpdate's multipart upload parser. This can disrupt service availability but does not indicate code execution or data disclosure based on the current information. The vulnerability is exploitable remotely without authentication but requires high attack complexity due to specific buffer length and TCP timing conditions. There are no known active exploits in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or workaround is currently available, users should monitor vendor communications for updates. Until a fix is released, consider restricting access to the /upload endpoint or implementing network-level protections to limit exposure. Avoid processing untrusted multipart uploads if possible.