Common Weakness Enumeration

CWE-121

Allowed

Stack-based Buffer Overflow

Abstraction: Variant · Status: Draft

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

5207 vulnerabilities reference this CWE, most recent first.

CVE-2026-13515 (GCVE-0-2026-13515)

Vulnerability from cvelistv5 – Published: 2026-06-28 23:30 – Updated: 2026-06-29 14:53
VLAI
Title
Tenda JD12L SetPptpServerCfg formSetPPTPServer stack-based overflow
Summary
A security vulnerability has been detected in Tenda JD12L 16.03.53.23. Impacted is the function formSetPPTPServer of the file /goform/SetPptpServerCfg. Such manipulation of the argument startIp leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/vuln/374523 vdb-entrytechnical-description
https://vuldb.com/vuln/374523/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-13515 third-party-advisory
https://vuldb.com/submit/838885 third-party-advisory
https://github.com/cve-a/Vampirensa/issues/1 exploitissue-tracking
https://www.tenda.com.cn/ product
Impacted products
Vendor Product Version
Tenda JD12L Affected: 16.03.53.23
    cpe:2.3:h:tenda:jd12l:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Vampirensa (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-13515",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T14:13:43.647249Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T14:53:10.656Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:h:tenda:jd12l:*:*:*:*:*:*:*:*"
          ],
          "product": "JD12L",
          "vendor": "Tenda",
          "versions": [
            {
              "status": "affected",
              "version": "16.03.53.23"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Vampirensa (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability has been detected in Tenda JD12L 16.03.53.23. Impacted is the function formSetPPTPServer of the file /goform/SetPptpServerCfg. Such manipulation of the argument startIp leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 9,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "Memory Corruption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-28T23:30:10.966Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-374523 | Tenda JD12L SetPptpServerCfg formSetPPTPServer stack-based overflow",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/374523"
        },
        {
          "name": "VDB-374523 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/374523/cti"
        },
        {
          "name": "CVE-2026-13515 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-13515"
        },
        {
          "name": "Submit #838885 | Tenda JD12L Pro V16.03.53.23 Stack-based Buffer Overflow",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/838885"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/cve-a/Vampirensa/issues/1"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.tenda.com.cn/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-28T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-06-28T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-06-28T08:50:56.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Tenda JD12L SetPptpServerCfg formSetPPTPServer stack-based overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-13515",
    "datePublished": "2026-06-28T23:30:10.966Z",
    "dateReserved": "2026-06-28T06:45:40.498Z",
    "dateUpdated": "2026-06-29T14:53:10.656Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12848 (GCVE-0-2026-12848)

Vulnerability from cvelistv5 – Published: 2026-06-24 03:34 – Updated: 2026-06-24 12:49
VLAI
Title
GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
Summary
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### DNS field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v8 = strlen(g_network_config->dns_addr); memcpy(&reply_buf[248], g_network_config->dns_addr, v8);
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based buffer overflow
Assigner
GV
References
Impacted products
Vendor Product Version
GeoVision Inc. GV-I/O Box 4E Affected: V2.09
Unaffected: v2.12
Create a notification for this product.
Date Public
2026-06-17 03:10
Credits
Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12848",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T12:46:58.574812Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T12:49:33.639Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "GV-I/O Box 4E",
          "vendor": "GeoVision Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "V2.09"
            },
            {
              "status": "unaffected",
              "version": "v2.12"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                  "vulnerable": false
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Philippe Laulheret of Cisco Talos"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Kelly Patterson of Cisco Talos"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Robert Sherwin  of Cisco Talos"
        }
      ],
      "datePublic": "2026-06-17T03:10:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\u003cbr\u003e\n\u003cbr\u003eUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e#### DNS field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\u003cbr\u003e\n\u003cbr\u003e    v8 = strlen(g_network_config-\u0026gt;dns_addr);\n\u003cbr\u003e    memcpy(\u0026amp;reply_buf[248], g_network_config-\u0026gt;dns_addr, v8);\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n\n#### DNS field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n    v8 = strlen(g_network_config-\u003edns_addr);\n\n    memcpy(\u0026reply_buf[248], g_network_config-\u003edns_addr, v8);"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based buffer overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T03:34:30.664Z",
        "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "shortName": "GV"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.geovision.com.tw/cyber_security.php"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-21T07:34:00.000Z",
          "value": "Finder Reports Vulnerabilties to Vendor"
        }
      ],
      "title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
    "assignerShortName": "GV",
    "cveId": "CVE-2026-12848",
    "datePublished": "2026-06-24T03:34:30.664Z",
    "dateReserved": "2026-06-22T00:26:58.083Z",
    "dateUpdated": "2026-06-24T12:49:33.639Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12847 (GCVE-0-2026-12847)

Vulnerability from cvelistv5 – Published: 2026-06-24 03:34 – Updated: 2026-06-24 13:16
VLAI
Title
GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
Summary
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Gateway field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v7 = strlen(g_network_config->gateway); memcpy(&reply_buf[216], g_network_config->gateway, v7);
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based buffer overflow
Assigner
GV
References
Impacted products
Vendor Product Version
GeoVision Inc. GV-I/O Box 4E Affected: V2.09
Unaffected: v2.12
Create a notification for this product.
Date Public
2026-06-17 03:10
Credits
Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12847",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T13:16:28.900447Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T13:16:38.193Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "GV-I/O Box 4E",
          "vendor": "GeoVision Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "V2.09"
            },
            {
              "status": "unaffected",
              "version": "v2.12"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                  "vulnerable": false
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Philippe Laulheret of Cisco Talos"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Kelly Patterson of Cisco Talos"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Robert Sherwin  of Cisco Talos"
        }
      ],
      "datePublic": "2026-06-17T03:10:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\u003cbr\u003e\n\u003cbr\u003eUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\u003cbr\u003e\u003cbr\u003e#### Gateway field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\u003cbr\u003e\n\u003cbr\u003e      v7 = strlen(g_network_config-\u0026gt;gateway);\n\u003cbr\u003e      memcpy(\u0026amp;reply_buf[216], g_network_config-\u0026gt;gateway, v7);\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### Gateway field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n      v7 = strlen(g_network_config-\u003egateway);\n\n      memcpy(\u0026reply_buf[216], g_network_config-\u003egateway, v7);"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based buffer overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T03:34:28.215Z",
        "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "shortName": "GV"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.geovision.com.tw/cyber_security.php"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-21T07:34:00.000Z",
          "value": "Finder Reports Vulnerabilties to Vendor"
        }
      ],
      "title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
    "assignerShortName": "GV",
    "cveId": "CVE-2026-12847",
    "datePublished": "2026-06-24T03:34:28.215Z",
    "dateReserved": "2026-06-22T00:26:55.874Z",
    "dateUpdated": "2026-06-24T13:16:38.193Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12846 (GCVE-0-2026-12846)

Vulnerability from cvelistv5 – Published: 2026-06-24 03:34 – Updated: 2026-06-24 12:55
VLAI
Title
GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
Summary
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Net Mask field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v6 = strlen(g_network_config->net_mask); memcpy(&reply_buf[184], g_network_config->net_mask, v6);
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based buffer overflow
Assigner
GV
References
Impacted products
Vendor Product Version
GeoVision Inc. GV-I/O Box 4E Affected: V2.09
Unaffected: v2.12
Create a notification for this product.
Date Public
2026-06-17 03:10
Credits
Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12846",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T12:55:27.854943Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T12:55:36.396Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "GV-I/O Box 4E",
          "vendor": "GeoVision Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "V2.09"
            },
            {
              "status": "unaffected",
              "version": "v2.12"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                  "vulnerable": false
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Philippe Laulheret of Cisco Talos"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Kelly Patterson of Cisco Talos"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Robert Sherwin  of Cisco Talos"
        }
      ],
      "datePublic": "2026-06-17T03:10:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\u003cbr\u003e\n\u003cbr\u003eUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\u003cbr\u003e\u003cbr\u003e#### Net Mask field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\u003cbr\u003e\n\u003cbr\u003e      v6 = strlen(g_network_config-\u0026gt;net_mask);\n\u003cbr\u003e      memcpy(\u0026amp;reply_buf[184], g_network_config-\u0026gt;net_mask, v6);\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### Net Mask field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n      v6 = strlen(g_network_config-\u003enet_mask);\n\n      memcpy(\u0026reply_buf[184], g_network_config-\u003enet_mask, v6);"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based buffer overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T03:34:25.543Z",
        "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "shortName": "GV"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.geovision.com.tw/cyber_security.php"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-21T07:34:00.000Z",
          "value": "Finder Reports Vulnerabilties to Vendor"
        }
      ],
      "title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
    "assignerShortName": "GV",
    "cveId": "CVE-2026-12846",
    "datePublished": "2026-06-24T03:34:25.543Z",
    "dateReserved": "2026-06-22T00:26:45.854Z",
    "dateUpdated": "2026-06-24T12:55:36.396Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12488 (GCVE-0-2026-12488)

Vulnerability from cvelistv5 – Published: 2026-06-24 03:34 – Updated: 2026-06-24 12:55
VLAI
Title
GeoVision GV-VMS V20 GV-Cloud memory corruption vulnerability
Summary
A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2.  A specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based buffer overflow
Assigner
GV
Impacted products
Vendor Product Version
GeoVision Inc. GeoVision Affected: V20.0.2
Unaffected: V20.1.0.0
Create a notification for this product.
Credits
Philippe Laulheret of Cisco Talos. Kelly Patterson of Cisco Talos. Robert Sherwin of Cisco Talos.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-06-24T05:23:56.794Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2411"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12488",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T12:55:06.184694Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T12:55:14.968Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "GeoVision",
          "vendor": "GeoVision Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "V20.0.2"
            },
            {
              "status": "unaffected",
              "version": "V20.1.0.0"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:geovision_inc.:geovision:v20.0.2:*:windows:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:geovision_inc.:geovision:v20.1.0.0:*:windows:*:*:*:*:*",
                  "vulnerable": false
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Philippe Laulheret of Cisco Talos."
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Kelly Patterson of Cisco Talos."
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Robert Sherwin of Cisco Talos."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2.\u0026nbsp;\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eA specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability.\u003c/div\u003e"
            }
          ],
          "value": "A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2.\u00a0\n\n\nA specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based buffer overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T03:34:20.794Z",
        "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "shortName": "GV"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.geovision.com.tw/cyber_security.php"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2411"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "GeoVision GV-VMS version V20.1.0 has patched the reported vulnerability.\u0026nbsp;\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eUser is recommended to download the update from GeoVision\u0027s offical website\u0026nbsp;(https://www.geovision.com.tw/download/product/GV-VMS%20V20)\u003c/div\u003e\u003cdiv\u003eor contact GeoVision Support team at support@geovision.com.tw\u0026nbsp;\u003c/div\u003e"
            }
          ],
          "value": "GeoVision GV-VMS version V20.1.0 has patched the reported vulnerability.\u00a0\n\n\nUser is recommended to download the update from GeoVision\u0027s offical website\u00a0(https://www.geovision.com.tw/download/product/GV-VMS%20V20)\n\nor contact GeoVision Support team at support@geovision.com.tw"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-21T03:49:00.000Z",
          "value": "Initial Vendor Contact"
        }
      ],
      "title": "GeoVision GV-VMS V20 GV-Cloud memory corruption vulnerability",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
    "assignerShortName": "GV",
    "cveId": "CVE-2026-12488",
    "datePublished": "2026-06-24T03:34:20.794Z",
    "dateReserved": "2026-06-17T03:39:27.939Z",
    "dateUpdated": "2026-06-24T12:55:14.968Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12485 (GCVE-0-2026-12485)

Vulnerability from cvelistv5 – Published: 2026-06-24 03:34 – Updated: 2026-06-24 12:56
VLAI
Title
GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
Summary
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### IP field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v3 = strlen(g_network_config->ip_addr); memcpy(&reply_buf[36], g_network_config->ip_addr, v3);
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based buffer overflow
Assigner
GV
References
Impacted products
Vendor Product Version
GeoVision Inc. GV-I/O Box 4E Affected: V2.09
Unaffected: v2.12
Create a notification for this product.
Date Public
2026-06-17 03:10
Credits
Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12485",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T12:55:48.854235Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T12:56:06.131Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "GV-I/O Box 4E",
          "vendor": "GeoVision Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "V2.09"
            },
            {
              "status": "unaffected",
              "version": "v2.12"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                  "vulnerable": false
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Philippe Laulheret of Cisco Talos"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Kelly Patterson of Cisco Talos"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Robert Sherwin  of Cisco Talos"
        }
      ],
      "datePublic": "2026-06-17T03:10:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\u003cbr\u003e\n\u003cbr\u003eUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\u003cbr\u003e\u003cbr\u003e#### IP field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\u003cbr\u003e\n\u003cbr\u003e      v3 = strlen(g_network_config-\u0026gt;ip_addr);\n\u003cbr\u003e      memcpy(\u0026amp;reply_buf[36], g_network_config-\u0026gt;ip_addr, v3);\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### IP field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n      v3 = strlen(g_network_config-\u003eip_addr);\n\n      memcpy(\u0026reply_buf[36], g_network_config-\u003eip_addr, v3);"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based buffer overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T03:34:22.794Z",
        "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "shortName": "GV"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.geovision.com.tw/cyber_security.php"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-21T07:34:00.000Z",
          "value": "Finder Reports Vulnerabilties to Vendor"
        }
      ],
      "title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
    "assignerShortName": "GV",
    "cveId": "CVE-2026-12485",
    "datePublished": "2026-06-24T03:34:22.794Z",
    "dateReserved": "2026-06-17T03:09:05.554Z",
    "dateUpdated": "2026-06-24T12:56:06.131Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12222 (GCVE-0-2026-12222)

Vulnerability from cvelistv5 – Published: 2026-06-15 05:15 – Updated: 2026-06-27 05:45
VLAI
Title
Yealink SIP-T46U Web FastCGI Service bttest mod_webd.BlueToothTest stack-based overflow
Summary
A vulnerability was determined in Yealink SIP-T46U 108.86.0.118. Affected is the function mod_webd.BlueToothTest of the file /api/inner/bttest of the component Web FastCGI Service. Executing a manipulation of the argument btMac/pin/reserved can lead to stack-based buffer overflow. The attack needs to be done within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure and is working on a patch to fix it.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/vuln/370865 vdb-entrytechnical-description
https://vuldb.com/vuln/370865/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-12222 third-party-advisory
https://vuldb.com/submit/834602 third-party-advisory
http://cdn2.v50to.cc/T46U/T46U_mod_webd_BlueTooth… broken-linkexploit
Impacted products
Vendor Product Version
Yealink SIP-T46U Affected: 108.86.0.118
    cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
ChiChen241 (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12222",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T13:11:11.186975Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T13:11:18.614Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Web FastCGI Service"
          ],
          "product": "SIP-T46U",
          "vendor": "Yealink",
          "versions": [
            {
              "status": "affected",
              "version": "108.86.0.118"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "ChiChen241 (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was determined in Yealink SIP-T46U 108.86.0.118. Affected is the function mod_webd.BlueToothTest of the file /api/inner/bttest of the component Web FastCGI Service. Executing a manipulation of the argument btMac/pin/reserved can lead to stack-based buffer overflow. The attack needs to be done within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure and is working on a patch to fix it."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.7,
            "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "Memory Corruption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T05:45:32.646Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-370865 | Yealink SIP-T46U Web FastCGI Service bttest mod_webd.BlueToothTest stack-based overflow",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/370865"
        },
        {
          "name": "VDB-370865 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/370865/cti"
        },
        {
          "name": "CVE-2026-12222 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-12222"
        },
        {
          "name": "Submit #834602 | yealink T46U 108.86.0.118 Stack-based Buffer Overflow",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/834602"
        },
        {
          "tags": [
            "broken-link",
            "exploit"
          ],
          "url": "http://cdn2.v50to.cc/T46U/T46U_mod_webd_BlueToothTest_off_by_one.zip"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-14T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-06-14T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-06-27T07:48:07.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Yealink SIP-T46U Web FastCGI Service bttest mod_webd.BlueToothTest stack-based overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-12222",
    "datePublished": "2026-06-15T05:15:09.045Z",
    "dateReserved": "2026-06-14T13:54:21.407Z",
    "dateUpdated": "2026-06-27T05:45:32.646Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12221 (GCVE-0-2026-12221)

Vulnerability from cvelistv5 – Published: 2026-06-15 05:00 – Updated: 2026-06-27 05:45
VLAI
Title
Yealink SIP-T46U Firmware Chunk Upload upgrade sprintf stack-based overflow
Summary
A vulnerability was found in Yealink SIP-T46U 108.86.0.118. This impacts the function sprintf of the file /api/upgrade/upgrade of the component Firmware Chunk Upload Handler. Performing a manipulation of the argument uid/start_offset results in stack-based buffer overflow. The attack needs to be approached within the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure and is working on a patch to fix it.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/vuln/370864 vdb-entrytechnical-description
https://vuldb.com/vuln/370864/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-12221 third-party-advisory
https://vuldb.com/submit/834207 third-party-advisory
http://cdn2.v50to.cc/T46U/T46U_mod_upgrade_Upgrad… broken-linkexploitpatch
Impacted products
Vendor Product Version
Yealink SIP-T46U Affected: 108.86.0.118
    cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
CookedMelon (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12221",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T12:50:29.215688Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T12:50:45.903Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Firmware Chunk Upload Handler"
          ],
          "product": "SIP-T46U",
          "vendor": "Yealink",
          "versions": [
            {
              "status": "affected",
              "version": "108.86.0.118"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "CookedMelon (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Yealink SIP-T46U 108.86.0.118. This impacts the function sprintf of the file /api/upgrade/upgrade of the component Firmware Chunk Upload Handler. Performing a manipulation of the argument uid/start_offset results in stack-based buffer overflow. The attack needs to be approached within the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure and is working on a patch to fix it."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.7,
            "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "Memory Corruption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T05:45:23.320Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-370864 | Yealink SIP-T46U Firmware Chunk Upload upgrade sprintf stack-based overflow",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/370864"
        },
        {
          "name": "VDB-370864 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/370864/cti"
        },
        {
          "name": "CVE-2026-12221 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-12221"
        },
        {
          "name": "Submit #834207 | yealink T46U 108.86.0.118 Stack-based Buffer Overflow",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/834207"
        },
        {
          "tags": [
            "broken-link",
            "exploit",
            "patch"
          ],
          "url": "http://cdn2.v50to.cc/T46U/T46U_mod_upgrade_Upgrade_chunk_stack_overflow.zip"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-14T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-06-14T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-06-27T07:47:33.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Yealink SIP-T46U Firmware Chunk Upload upgrade sprintf stack-based overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-12221",
    "datePublished": "2026-06-15T05:00:10.661Z",
    "dateReserved": "2026-06-14T13:54:18.805Z",
    "dateUpdated": "2026-06-27T05:45:23.320Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12220 (GCVE-0-2026-12220)

Vulnerability from cvelistv5 – Published: 2026-06-15 04:45 – Updated: 2026-06-27 05:45
VLAI
Title
Yealink SIP-T46U Firmware Chunk Upload handler accupgradebychunk mod_upgrade.SparePartsUpload stack-based overflow
Summary
A vulnerability has been found in Yealink SIP-T46U 108.86.0.118. This affects the function mod_upgrade.SparePartsUpload of the file /api/upgrade/accupgradebychunk of the component Firmware Chunk Upload handler. Such manipulation of the argument uid leads to stack-based buffer overflow. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure and is working on a patch to fix it.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/vuln/370863 vdb-entrytechnical-description
https://vuldb.com/vuln/370863/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-12220 third-party-advisory
https://vuldb.com/submit/834205 third-party-advisory
http://cdn2.v50to.cc/T46U/T46U_mod_upgrade_SpareP… broken-linkexploitpatch
Impacted products
Vendor Product Version
Yealink SIP-T46U Affected: 108.86.0.118
    cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
CookedMelon (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12220",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T15:52:49.971836Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T19:24:51.540Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Firmware Chunk Upload handler"
          ],
          "product": "SIP-T46U",
          "vendor": "Yealink",
          "versions": [
            {
              "status": "affected",
              "version": "108.86.0.118"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "CookedMelon (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been found in Yealink SIP-T46U 108.86.0.118. This affects the function mod_upgrade.SparePartsUpload of the file /api/upgrade/accupgradebychunk of the component Firmware Chunk Upload handler. Such manipulation of the argument uid leads to stack-based buffer overflow. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure and is working on a patch to fix it."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.7,
            "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "Memory Corruption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T05:45:11.834Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-370863 | Yealink SIP-T46U Firmware Chunk Upload handler accupgradebychunk mod_upgrade.SparePartsUpload stack-based overflow",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/370863"
        },
        {
          "name": "VDB-370863 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/370863/cti"
        },
        {
          "name": "CVE-2026-12220 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-12220"
        },
        {
          "name": "Submit #834205 | yealink T46U 108.86.0.118 Stack-based Buffer Overflow",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/834205"
        },
        {
          "tags": [
            "broken-link",
            "exploit",
            "patch"
          ],
          "url": "http://cdn2.v50to.cc/T46U/T46U_mod_upgrade_SparePartsUpload_stack_overflow.zip"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-14T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-06-14T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-06-27T07:46:51.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Yealink SIP-T46U Firmware Chunk Upload handler accupgradebychunk mod_upgrade.SparePartsUpload stack-based overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-12220",
    "datePublished": "2026-06-15T04:45:10.866Z",
    "dateReserved": "2026-06-14T13:54:16.276Z",
    "dateUpdated": "2026-06-27T05:45:11.834Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12218 (GCVE-0-2026-12218)

Vulnerability from cvelistv5 – Published: 2026-06-15 04:15 – Updated: 2026-06-27 05:44
VLAI
Title
Yealink SIP-T46U Web FastCGI Service beforewifitest StartReportInformation stack-based overflow
Summary
A vulnerability was detected in Yealink SIP-T46U 108.87.50.1. The affected element is the function StartReportInformation of the file /api/inner/beforewifitest of the component Web FastCGI Service. The manipulation of the argument port results in stack-based buffer overflow. Access to the local network is required for this attack. The exploit is now public and may be used. The vendor was contacted early about this disclosure and is working on a patch to fix it.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/vuln/370861 vdb-entrytechnical-description
https://vuldb.com/vuln/370861/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-12218 third-party-advisory
https://vuldb.com/submit/834193 third-party-advisory
http://cdn2.v50to.cc/T46U/T46U_beforewifitest_sta… broken-linkexploit
Impacted products
Vendor Product Version
Yealink SIP-T46U Affected: 108.87.50.1
    cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
CookedMelon (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12218",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T10:32:54.702711Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T10:33:14.008Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Web FastCGI Service"
          ],
          "product": "SIP-T46U",
          "vendor": "Yealink",
          "versions": [
            {
              "status": "affected",
              "version": "108.87.50.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "CookedMelon (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was detected in Yealink SIP-T46U 108.87.50.1. The affected element is the function StartReportInformation of the file /api/inner/beforewifitest of the component Web FastCGI Service. The manipulation of the argument port results in stack-based buffer overflow. Access to the local network is required for this attack. The exploit is now public and may be used. The vendor was contacted early about this disclosure and is working on a patch to fix it."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.7,
            "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "Memory Corruption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T05:44:47.996Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-370861 | Yealink SIP-T46U Web FastCGI Service beforewifitest StartReportInformation stack-based overflow",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/370861"
        },
        {
          "name": "VDB-370861 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/370861/cti"
        },
        {
          "name": "CVE-2026-12218 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-12218"
        },
        {
          "name": "Submit #834193 | yealink T46U 108.87.50.1 stack",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/834193"
        },
        {
          "tags": [
            "broken-link",
            "exploit"
          ],
          "url": "http://cdn2.v50to.cc/T46U/T46U_beforewifitest_stack_overflow.zip"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-14T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-06-14T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-06-27T07:45:46.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Yealink SIP-T46U Web FastCGI Service beforewifitest StartReportInformation stack-based overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-12218",
    "datePublished": "2026-06-15T04:15:10.808Z",
    "dateReserved": "2026-06-14T13:54:11.247Z",
    "dateUpdated": "2026-06-27T05:44:47.996Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation MIT-10
Operation Build and Compilation

Strategy: Environment Hardening

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Implementation

Implement and perform bounds checking on input.

Mitigation
Implementation

Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors.

Mitigation MIT-11
Operation Build and Compilation

Strategy: Environment Hardening

  • Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].

No CAPEC attack patterns related to this CWE.