CVE-2018-17009
Description
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for wireless wlan_host_2g isolate.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated attackers can crash TP-Link TL-WR886N router services by sending a long JSON value for the wireless wlan_host_2g isolate parameter.
Vulnerability
A buffer overflow vulnerability exists in the wireless module of TP-Link TL-WR886N routers, firmware versions 6.0 2.3.4 and 7.0 1.1.0. When an authenticated user sends an HTTP POST request with an excessively long value for the wlan_host_2g isolate JSON key, the data overflows and corrupts the wireless module configuration file. This corruption can crash the inetd task, which manages critical network services. [1]
Exploitation
An attacker must first authenticate to the router's web interface using valid credentials. After obtaining a session token (stok), the attacker sends a crafted HTTP POST request to the wireless configuration endpoint with a long string in the wlan_host_2g isolate field. The provided proof-of-concept demonstrates the login process and the subsequent request that triggers the overflow.
Impact
Successful exploitation causes the inetd task to crash, resulting in denial of service for HTTP, DNS, and UPnP services. The router becomes unresponsive to web administration and network services until a reboot. No code execution or data disclosure is reported.
Mitigation
No official fix has been released by TP-Link for this vulnerability. The affected devices may be end-of-life. Users are advised to restrict network access to the router's administration interface and consider upgrading to a supported model if available. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation on the JSON key "isolate" in the wireless wlan_host_2g configuration allows a buffer overflow when a long string is written to the config file."
Attack vector
An authenticated attacker sends an HTTP POST request to the router's /ds endpoint with a JSON payload containing an extremely long value (e.g., 1.5 MB of 'A' characters) for the "wireless.wlan_host_2g.isolate" key [ref_id=1]. The router's wireless module attempts to save this oversized value to the config file, causing a buffer overflow that corrupts the config file and crashes the inetd task [ref_id=1]. Since inetd manages multiple network services, the crash stops HTTP, DNS, and UPnP services, effectively denying service to legitimate users [ref_id=1]. The attacker must first authenticate by obtaining a valid stok token via the login endpoint [ref_id=1].
Affected code
The advisory [ref_id=1] identifies the wireless module's handling of the "wlan_host_2g" configuration as the vulnerable code path. Specifically, the JSON key "isolate" under "wireless.wlan_host_2g" is processed without length validation when saving to the config file. No source code or patch files are provided in the bundle.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation guidance or indicate whether TP-Link released a fix. To close this vulnerability, the router firmware should validate the length of the "isolate" JSON value before writing it to the config file, truncating or rejecting inputs that exceed a reasonable maximum size.
Preconditions
- authAttacker must be authenticated to the router's web interface (obtain a valid stok token)
- networkAttacker must have network access to the router's HTTP management interface (typically LAN-side on 192.168.1.1)
- inputAttacker sends a JSON payload with a value of approximately 1.5 MB or larger for the isolate key
Reproduction
The advisory [ref_id=1] includes a full Python PoC script. The attacker authenticates using the `get_token()` function with a known password, then sends a POST request to `/stok=<token>/ds` with a JSON body where `wireless.wlan_host_2g.isolate` is set to a string of 1.5 million 'A' characters. The script sets a 3-second timeout and prints the response.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.