CVE Catalog

CVE-2026-12549

MediumCVSS 4.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading to malformed HTTP 206 responses and log flooding.

Risk Assessment

The organization is exposed to potential Denial of Service (DoS) attacks via log flooding and the risk of serving malformed data in HTTP 206 responses, which may impact service integrity and availability.

Recommendation

Immediately update the HTTP server to a version containing the correct fix for CVE-2026-12549, which restores proper clamping of start values in Range requests.

Original NVD description (English source)

The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading to malformed HTTP 206 responses and log flooding.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS