CVE-2026-29076 identifies a vulnerability in the cpp-httplib library, a widely used C++11 single-header HTTP/HTTPS client and server library. Prior to version 0.37.0, cpp-httplib uses the std::regex implementation from libstdc++ to parse RFC 5987 encoded filename* parameters in multipart Content-Disposition headers. The libstdc++ regex engine employs a backtracking mechanism implemented via deep recursion, where each input character consumes one stack frame. An attacker can exploit this by sending a crafted HTTP POST request containing a malicious filename* parameter designed to cause uncontrolled recursion depth in the regex engine. This results in stack overflow, causing the server process to crash with a segmentation fault (SIGSEGV). The vulnerability affects availability by enabling denial-of-service attacks but does not compromise confidentiality or integrity. Exploitation does not require authentication or user interaction, but the attack complexity is high due to the need for precise input crafting. The issue is tracked under CWE-674 (Uncontrolled Recursion) and CWE-1333 (Improper Handling of Exceptional Conditions). The vulnerability has been patched in cpp-httplib version 0.37.0, which replaces the vulnerable regex parsing approach. No public exploits have been reported yet, but the vulnerability poses a risk to any server or client application using vulnerable cpp-httplib versions to handle multipart HTTP requests.

The primary impact of CVE-2026-29076 is denial of service through server process crashes caused by stack overflow. This can disrupt availability of services relying on cpp-httplib for HTTP/HTTPS communications, potentially affecting web servers, APIs, embedded devices, or client applications that parse multipart form data. Since the vulnerability does not affect confidentiality or integrity, data breaches or unauthorized data modification are not direct concerns. However, repeated exploitation could degrade service reliability, cause downtime, and increase operational costs. Organizations with high-availability requirements or those running critical infrastructure using vulnerable cpp-httplib versions may face significant operational disruptions. The attack requires no privileges or user interaction, increasing exposure risk, but the high complexity of crafting the exploit may limit widespread automated attacks. No known exploits in the wild currently reduce immediate risk but patching remains essential to prevent future exploitation.

To mitigate CVE-2026-29076, organizations should immediately upgrade all instances of cpp-httplib to version 0.37.0 or later, where the vulnerable regex parsing has been replaced or fixed. For environments where immediate upgrade is not feasible, consider implementing input validation and sanitization on multipart Content-Disposition headers to reject suspicious or overly complex filename* parameters before they reach the cpp-httplib parser. Employ runtime protections such as stack size limits or process isolation to contain potential crashes. Monitoring server logs for frequent crashes or malformed HTTP POST requests targeting multipart uploads can help detect attempted exploitation. Additionally, applying network-level rate limiting and web application firewall (WAF) rules to detect and block suspicious multipart requests may reduce attack surface. Developers should review usage of std::regex in other parts of their codebase to avoid similar uncontrolled recursion issues. Finally, maintain an incident response plan to quickly recover from potential denial-of-service events caused by this vulnerability.