CVE-2026-29076 concerns an uncontrolled recursion vulnerability in the cpp-httplib library, a widely used C++11 single-header HTTP/HTTPS client and server library. Prior to version 0.37.0, cpp-httplib uses the std::regex implementation from libstdc++ to parse RFC 5987 encoded filename* parameters within multipart Content-Disposition headers. The regex engine in libstdc++ relies on backtracking implemented via deep recursion, where each input character consumes one stack frame. An attacker can craft a malicious HTTP POST request containing a filename* parameter designed to cause excessive recursion depth in the regex engine. This leads to uncontrolled stack growth, culminating in a stack overflow and a segmentation fault (SIGSEGV) that crashes the server process. The vulnerability does not affect confidentiality or integrity but impacts availability by causing denial of service. Exploitation requires no privileges or user interaction but demands precise input crafting, making the attack complexity high. The vulnerability is classified under CWE-674 (Uncontrolled Recursion) and CWE-1333 (Improper Handling of Exceptional Conditions). The issue has been addressed in cpp-httplib version 0.37.0 by presumably changing the parsing approach or regex usage to prevent deep recursion. No public exploits have been reported to date.

The primary impact of CVE-2026-29076 is denial of service due to server process crashes triggered by stack overflow. Organizations using vulnerable versions of cpp-httplib in their HTTP/HTTPS servers or clients may experience service interruptions if targeted by crafted HTTP POST requests exploiting this vulnerability. This can degrade service availability, disrupt business operations, and potentially lead to cascading failures if the affected service is critical or part of a larger system. Although the vulnerability does not allow data disclosure or modification, repeated exploitation could be used as part of a broader attack to degrade system reliability or distract incident response teams. The impact is particularly significant for high-availability environments or internet-facing services where attackers can send arbitrary HTTP requests. Since cpp-httplib is a popular lightweight library embedded in various C++ applications, the scope of affected systems can be broad, especially in industries relying on custom or embedded HTTP services.

To mitigate CVE-2026-29076, organizations should immediately upgrade all instances of cpp-httplib to version 0.37.0 or later, where the vulnerability is patched. If upgrading is not immediately feasible, consider implementing input validation or filtering at the network perimeter to detect and block HTTP POST requests containing suspicious or unusually long filename* parameters in multipart Content-Disposition headers. Employ web application firewalls (WAFs) with custom rules targeting malformed multipart requests to reduce exposure. Additionally, monitor server logs for repeated crashes or segmentation faults related to HTTP POST handling, which may indicate exploitation attempts. Developers should review their use of regex parsing for multipart headers and consider alternative parsing methods that do not rely on recursive backtracking. Finally, incorporate fuzz testing and static analysis in the development lifecycle to detect similar uncontrolled recursion issues proactively.