| Titolo | yealink T46U 108.86.0.118 Stack-based Buffer Overflow |
|---|
| Descrizione | Yealink T46U phone firmware `x.x.x.x` contains a stack buffer overflow vulnerability in the accessory firmware chunk upload handler of `fcgiserver`. The vulnerable endpoint is:
```text
POST /api/upgrade/accupgradebychunk
```
The vulnerable handler is `mod_upgrade.SparePartsUpload()`. During the `finish` phase, the request-controlled `uid` value is inserted into a fixed-size stack buffer with `sprintf()` without length validation. The `upload` phase also uses request-controlled path fragments to construct a rename destination.
poc
POST /api/upgrade/prepareaccessories?p=Upgrade&t=<timestamp> HTTP/1.1
...
POST /api/upgrade/accupgradebychunk?p=Upgrade&t=<timestamp> HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
type=headsetrom&phase=finish&uid=<long-string> |
|---|
| Fonte | ⚠️ http://cdn2.v50to.cc/T46U/T46U_mod_upgrade_SparePartsUpload_stack_overflow.zip |
|---|
| Utente | CookedMelon (UID 52513) |
|---|
| Sottomissione | 20/05/2026 17:36 (27 giorni fa) |
|---|
| Moderazione | 14/06/2026 15:54 (25 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 370863 [Yealink SIP-T46U 108.86.0.118 Firmware Chunk Upload handler accupgradebychunk mod_upgrade.SparePartsUpload uid buffer overflow] |
|---|
| Punti | 20 |
|---|