Submit #834205: yealink T46U 108.86.0.118 Stack-based Buffer Overflowinfo

Title	yealink T46U 108.86.0.118 Stack-based Buffer Overflow
Description	Yealink T46U phone firmware `x.x.x.x` contains a stack buffer overflow vulnerability in the accessory firmware chunk upload handler of `fcgiserver`. The vulnerable endpoint is: ```text POST /api/upgrade/accupgradebychunk ``` The vulnerable handler is `mod_upgrade.SparePartsUpload()`. During the `finish` phase, the request-controlled `uid` value is inserted into a fixed-size stack buffer with `sprintf()` without length validation. The `upload` phase also uses request-controlled path fragments to construct a rename destination. poc POST /api/upgrade/prepareaccessories?p=Upgrade&t=<timestamp> HTTP/1.1 ... POST /api/upgrade/accupgradebychunk?p=Upgrade&t=<timestamp> HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 type=headsetrom&phase=finish&uid=<long-string>
Source	⚠️ http://cdn2.v50to.cc/T46U/T46U_mod_upgrade_SparePartsUpload_stack_overflow.zip
User	CookedMelon (UID 52513)
Submission	05/20/2026 17:36 (25 days ago)
Moderation	06/14/2026 15:54 (25 days later)
Status	Accepted
VulDB entry	370863 [Yealink SIP-T46U 108.86.0.118 Firmware Chunk Upload handler accupgradebychunk mod_upgrade.SparePartsUpload uid stack-based overflow]
Points	20

Interested in the pricing of exploits?

See the underground prices here!