CVE-2018-17008
Description
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for wireless wlan_host_2g power.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated attackers can crash inetd, HTTP, DNS, and UPnP services by sending a long JSON value for wireless wlan_host_2g power on TP-Link TL-WR886N devices.
Vulnerability
An issue exists in the wireless module of TP-Link TL-WR886N firmware versions 2.3.4 (hardware 6.0) and 1.1.0 (hardware 7.0). The router allows authenticated users to configure wireless power parameters via an HTTP POST request containing JSON data. The "wlan_host_2g" key's value is not properly length-checked; passing an extremely long string causes a buffer overflow that corrupts the wireless configuration file [1]. This corruption subsequently crashes the inetd task, which manages multiple core network services [1].
Exploitation
An attacker must first authenticate to the router's web interface (using valid credentials). The proof‑of‑concept code demonstrates sending a crafted HTTP POST request to the login endpoint, then using the obtained stok token to issue a request with an excessively long value for the wlan_host_2g parameter [1]. The long string overflows the buffer during the saving process, breaking the configuration and crashing the inetd task [1].
Impact
Successful exploitation stops inetd and consequently disables HTTP, DNS, and UPnP services, making the router partially inoperable. The attacker achieves a denial‑of‑service condition on the affected services. No remote code execution or persistent privilege escalation is reported from this vulnerability [1].
Mitigation
As of publication, TP-Link had not released a firmware patch for the TL-WR886N 6.0 or 7.0 to address this issue [1]. Users may restrict administrative access to trusted IPs and change the default credentials to reduce the attack surface. The device is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation on the wireless wlan_host_2g power parameter allows a buffer overflow when writing to the config file."
Attack vector
An authenticated attacker sends an HTTP POST request to the router's `/stok=
Affected code
The vulnerability resides in the wireless module's handling of the `wlan_host_2g` power parameter. When the router receives an HTTP POST request to set wireless power, the module saves the value to a config file without proper length validation [ref_id=1]. The affected firmware is TP-Link TL-WR886N 7.0 version 1.1.0 (and TL-WR886N 6.0 2.3.4) [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] describes the root cause but does not include a fix. To remediate, the vendor should implement input length validation on the `wlan_host_2g` power parameter before writing it to the config file, ensuring the value does not exceed the buffer allocated for that field.
Preconditions
- authAttacker must have valid credentials to authenticate to the router's web interface
- networkAttacker must be able to send HTTP POST requests to the router on the local network
- inputThe power parameter value must be a long string of characters (e.g., approximately 1.5 MB of '0' characters)
Reproduction
The researcher's PoC [ref_id=1] provides reproduction steps. Authenticate to the router at `http://192.168.1.1/` using the provided `security_encode` function to obtain a `stok` token. Then send an HTTP POST request to `http://192.168.1.1/stok=
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.