CVE-2018-17006
Description
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for firewall lan_manage mac2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated attackers can crash multiple router services on TP-Link TL-WR886N by sending a long JSON value in the firewall lan_manage mac2 parameter.
Vulnerability
An issue exists in the firewall module of TP-Link TL-WR886N routers (firmware versions 2.3.4 for hardware 6.0 and 1.1.0 for hardware 7.0). When an authenticated user sends an HTTP POST request with an excessively long value in the mac2 JSON key under firewall lan_manage, the router's config file overflows, corrupting the firewall configuration and crashing the inetd task [1].
Exploitation
An attacker must first authenticate to the router's web interface. Using a crafted HTTP POST request to the firewall endpoint, the attacker supplies a long string for the mac2 parameter. The provided proof-of-concept demonstrates login via a custom encoding function and then sending the malicious payload [1]. No additional privileges or user interaction beyond authentication are required.
Impact
Successful exploitation crashes the inetd task, which stops essential network services including HTTP, DNS, and UPnP. This results in a denial-of-service condition, rendering the router's web interface and other network functions unavailable until a reboot [1].
Mitigation
No official fix or patched firmware version is mentioned in the available reference [1]. Users should monitor TP-Link's support page for updates. As a workaround, restrict administrative access to trusted hosts only.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation on the `mac2` JSON field in the firewall LAN management configuration causes a buffer overflow when a long value is written to the config file."
Attack vector
An authenticated attacker sends an HTTP POST request to the router's `/stok=
Affected code
The vulnerability resides in the firewall module's admin MAC binding functionality of the TP-Link TL-WR886N firmware (version 1.1.0 on hardware v7.0). The affected code path processes the JSON key `mac2` under `firewall.lan_manage` without proper length validation [ref_id=1].
What the fix does
No patch is provided in the available information. The advisory [ref_id=1] describes the root cause as a lack of input length validation on the `mac2` JSON key in the firewall's LAN management configuration. To remediate, the vendor would need to enforce a maximum length check on the `mac2` value before writing it to the configuration file, preventing the buffer overflow that crashes services such as inetd, HTTP, DNS, and UPnP.
Preconditions
- authAttacker must have valid credentials to authenticate to the router's web interface
- networkAttacker must be able to reach the router's HTTP management interface (typically LAN-side)
- inputAttacker sends a crafted JSON payload with an overly long value for the 'mac2' key
Reproduction
The PoC provided in [ref_id=1] demonstrates reproduction. First authenticate to the router at `http://192.168.1.1/` using the `security_encode` function to obtain a `stok` token. Then send a POST request to `http://192.168.1.1/stok=
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.