VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 13, 2018· Updated Sep 17, 2024

CVE-2018-17004

CVE-2018-17004

Description

An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for wlan_access name.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated attackers can crash critical services on TP-Link TL-WR886N routers by sending a long JSON value in the wlan_access name field.

Vulnerability

An issue exists in the TP-Link TL-WR886N router firmware versions 6.0 2.3.4 and 7.0 1.1.0. The wlan_access module, which manages the wireless access control list, accepts HTTP POST requests to add entries. When a request contains an overly long string value for the JSON key that specifies the access list name, a buffer overflow corrupts the module's configuration file. If the string is long enough, the overflow can crash the inetd task, which is responsible for managing critical network services such as HTTP, DNS, and UPnP [1].

Exploitation

An attacker must first authenticate to the router's web interface (e.g., with the administrator password). The attacker then sends a crafted HTTP POST request to the router's endpoint that handles wlan_access white list additions, including a JSON key-value pair where the value is an abnormally long string. The provided proof-of-concept code demonstrates sending such a request to trigger the overflow [1]. No user interaction beyond the attacker's own actions is required.

Impact

Successful exploitation causes the inetd daemon to crash, which halts multiple network services including the HTTP administration interface, DNS resolution, and UPnP functionality. This results in a denial-of-service (DoS) condition that persists until the router is rebooted. The crash does not lead to code execution or data theft, but it renders the router's management interface and some network services temporarily unavailable [1].

Mitigation

TP-Link has not released a patched firmware version as of the publication date (2018-09-13). The only known mitigation is to restrict administrative access to the router's web interface to trusted users and networks, or to upgrade to a later hardware/firmware revision if available. There is no workaround that does not involve modifying the firmware binary. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].

References
  1. VulInfo/TP-Link/WR886N/inetd_task_dos_00/README.md at master · PAGalaxyLab/VulInfo

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input length validation on the `name` field in the `wlan_access` module allows a buffer overflow when writing to the config file."

Attack vector

An authenticated attacker sends an HTTP POST request to the router's `wlan_access` endpoint with an excessively long string (approximately 1.5 MB) in the `name` field of the JSON payload [ref_id=1]. The attacker must first authenticate to the router by obtaining a `stok` token via the login endpoint. The oversized `name` value overflows the config file buffer, which in turn crashes the `inetd` task, stopping critical network services such as HTTP, DNS, and UPnP [ref_id=1].

Affected code

The vulnerability resides in the `wlan_access` module of the TP-Link TL-WR886N firmware (version 1.1.0 on hardware v7.0, and version 2.3.4 on hardware v6.0). The module processes JSON data for adding a WLAN access whitelist entry via HTTP POST requests. When a long value is supplied for the `name` key in the JSON payload, the module's config file handling overflows [ref_id=1].

What the fix does

No patch is provided in the bundle. The advisory does not specify any vendor fix or remediation. Based on the vulnerability description, a proper fix would involve adding input length validation on the `name` field in the `wlan_access` module to reject or truncate excessively long values before writing to the config file, preventing the buffer overflow that crashes the `inetd` task [ref_id=1].

Preconditions

  • networkAttacker must be able to reach the router's web interface (typically on the local network at 192.168.1.1)
  • authAttacker must authenticate to the router with valid credentials to obtain a stok token
  • inputAttacker sends a JSON payload with a name field containing approximately 1.5 MB of data

Reproduction

The researcher's PoC demonstrates the attack. Authenticate to the router at `http://192.168.1.1/` using the `security_encode` function to encode the password, obtain the `stok` token, then send a POST request to `http://192.168.1.1/stok=

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.