| Title | yealink T46U 108.86.0.118 Stack-based Buffer Overflow |
|---|
| Description | Yealink T46U phone firmware `x.x.x.x` contains a stack buffer overflow vulnerability in the firmware chunk upload handler of `fcgiserver`. The vulnerable endpoint is:
```text
POST /api/upgrade/upgrade
```
The handler accepts chunk upload parameters such as `uid` and `start_offset`. These values are checked as decimal strings but are not length-limited before being concatenated into a fixed-size stack path buffer with `sprintf()`.
poc
POST /api/upgrade/beforeupgrade?p=Upgrade&t=<timestamp> HTTP/1.1
...
POST /api/upgrade/upgrade?p=Upgrade&t=<timestamp> HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
uType=chunk&phase=upload&uid=<long-numeric-string>&start_offset=0
|
|---|
| Source | ⚠️ http://cdn2.v50to.cc/T46U/T46U_mod_upgrade_Upgrade_chunk_stack_overflow.zip |
|---|
| User | CookedMelon (UID 52513) |
|---|
| Submission | 05/20/2026 17:40 (26 days ago) |
|---|
| Moderation | 06/14/2026 15:54 (25 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370864 [Yealink SIP-T46U 108.86.0.118 Firmware Chunk Upload /api/upgrade/upgrade sprintf uid/start_offset stack-based overflow] |
|---|
| Points | 20 |
|---|