CVE-2020-28926
Description
MiniDLNA before 1.3.0 has a signedness bug in UPnP HTTP chunked encoding handling, leading to heap buffer overflow and remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MiniDLNA before 1.3.0 has a signedness bug in UPnP HTTP chunked encoding handling, leading to heap buffer overflow and remote code execution.
Vulnerability
ReadyMedia (MiniDLNA) versions prior to 1.3.0 contain a signedness bug in the UPnP HTTP request handler within upnphttp.c. When processing HTTP requests using chunked transfer encoding, the software fails to properly validate the chunk length field. An attacker can specify a large positive value that, when interpreted as a signed integer, becomes negative. This negative length is then passed to memcpy and memmove calls, resulting in a heap buffer overflow [2].
Exploitation
An unauthenticated attacker with network access to the MiniDLNA service can send a crafted UPnP HTTP request using chunked encoding. By setting a chunk length that, when cast to a signed type, becomes negative, the attacker causes the memory copy functions to write beyond the allocated buffer. The Rootshell Security team demonstrated a proof-of-concept exploit that triggers memory corruption and can also cause an infinite loop, leading to denial of service [2].
Impact
Successful exploitation allows remote code execution (RCE) in the context of the MiniDLNA process. Additionally, the same bug can be leveraged to cause a denial-of-service (DoS) condition via an infinite loop. The vulnerability is remotely exploitable without authentication, making it critical for affected deployments [2].
Mitigation
The vendor remediated the issue in version 1.3.0 of ReadyMedia (MiniDLNA). Users should upgrade to 1.3.0 or later. No workarounds are documented; the fix was released following responsible disclosure by Rootshell Security [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- ReadyMedia/MiniDLNAdescription
- Range: <1.3.0
- osv-coords5 versionspkg:rpm/opensuse/minidlna&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/minidlna&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/minidlna&distro=openSUSE%20Tumbleweedpkg:rpm/suse/minidlna&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/minidlna&distro=SUSE%20Package%20Hub%2015%20SP2
< 1.3.0-lp151.3.3.1+ 4 more
- (no CPE)range: < 1.3.0-lp151.3.3.1
- (no CPE)range: < 1.3.0-lp152.4.3.1
- (no CPE)range: < 1.3.0-2.7
- (no CPE)range: < 1.3.0-bp151.2.3.1
- (no CPE)range: < 1.3.0-bp152.4.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Signedness bug in chunk length parsing allows an attacker to specify a large, negative chunk length, causing out-of-bounds memory copy in memcpy/memmove."
Attack vector
An attacker sends a malicious UPnP HTTP request using HTTP chunked transfer encoding to the miniDLNA service [ref_id=1]. By specifying a large chunk length that becomes negative when interpreted as a signed integer, the attacker causes a signedness bug that leads to an out-of-bounds error in calls to `memcpy` and `memmove` [ref_id=1]. This can result in heap corruption, remote code execution, or an infinite loop causing denial of service [ref_id=1]. No authentication is required; the service is reachable over the network.
Affected code
The vulnerability resides in the UPnP HTTP request handling code within the file `upnphttp.c` [ref_id=1]. The bug is triggered when the software processes chunked transfer encoding, allowing an attacker to manipulate the length of data chunks [ref_id=1].
What the fix does
The vendor remediated the issue in miniDLNA version 1.3.0 and later [ref_id=1]. The advisory does not include a patch diff, but the fix addresses the signedness bug in chunk length parsing so that large chunk lengths are no longer interpreted as negative values, preventing the out-of-bounds memory copy operations [ref_id=1].
Preconditions
- networkThe miniDLNA service must be running and reachable over the network.
- inputThe attacker must be able to send a crafted UPnP HTTP request with chunked transfer encoding.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.debian.org/security/2020/dsa-4806mitrevendor-advisoryx_refsource_DEBIAN
- lists.debian.org/debian-lts-announce/2020/12/msg00017.htmlmitremailing-listx_refsource_MLIST
- sourceforge.net/projects/minidlna/mitrex_refsource_MISC
- www.rootshellsecurity.net/remote-heap-corruption-bug-discovery-minidlna/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.