Submit #834205: yealink T46U 108.86.0.118 Stack-based Buffer Overflowinfo

Titel	yealink T46U 108.86.0.118 Stack-based Buffer Overflow
Beschreibung	Yealink T46U phone firmware `x.x.x.x` contains a stack buffer overflow vulnerability in the accessory firmware chunk upload handler of `fcgiserver`. The vulnerable endpoint is: ```text POST /api/upgrade/accupgradebychunk ``` The vulnerable handler is `mod_upgrade.SparePartsUpload()`. During the `finish` phase, the request-controlled `uid` value is inserted into a fixed-size stack buffer with `sprintf()` without length validation. The `upload` phase also uses request-controlled path fragments to construct a rename destination. poc POST /api/upgrade/prepareaccessories?p=Upgrade&t=<timestamp> HTTP/1.1 ... POST /api/upgrade/accupgradebychunk?p=Upgrade&t=<timestamp> HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 type=headsetrom&phase=finish&uid=<long-string>
Quelle	⚠️ http://cdn2.v50to.cc/T46U/T46U_mod_upgrade_SparePartsUpload_stack_overflow.zip
Benutzer	CookedMelon (UID 52513)
Einreichung	20.05.2026 17:36 (vor 27 Tagen)
Moderieren	14.06.2026 15:54 (25 days later)
Status	Akzeptiert
VulDB Eintrag	370863 [Yealink SIP-T46U 108.86.0.118 Firmware Chunk Upload handler accupgradebychunk mod_upgrade.SparePartsUpload uid Pufferüberlauf]
Punkte	20

Want to know what is going to be exploited?

We predict KEV entries!