CVE-2018-17010
Description
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for wireless wlan_host_2g bandwidth.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated attackers can crash TP-Link TL-WR886N router services (inetd, HTTP, DNS, UPnP) by sending a long JSON value for the wireless wlan_host_2g bandwidth parameter.
Vulnerability
An issue was discovered on TP-Link TL-WR886N firmware versions 6.0 2.3.4 (hardware 6.0) and 1.1.0 (hardware 7.0) [1]. The vulnerability resides in the wireless configuration module, where a crafted HTTP POST request containing an excessively long JSON value for the wlan_host_2g bandwidth parameter can cause a buffer overflow when the wireless module saves data to the config file [1]. This overflow corrupts memory and eventually crashes the inetd task, which halts network services such as HTTP, DNS, and UPnP [1].
Exploitation
An attacker must first obtain valid authentication credentials to the router's web interface. Once authenticated, the attacker sends a POST request to the wireless configuration endpoint with a JSON payload where the value of the wlan_host_2g bandwidth key is a long string (e.g., many characters in the POC). The specific length required to trigger the overflow is not publicly detailed but the provided exploit demonstrates that a sufficiently long string, as generated by the POC script, causes the crash [1]. No other special network position is needed beyond access to the LAN or WAN interface where the router's web server is reachable [1].
Impact
Successful exploitation crashes the inetd task, which is responsible for launching essential network services including the HTTP web server, DNS, and UPnP [1]. This results in a denial of service (DoS) affecting the router's management interface and network services, requiring a physical reboot to restore normal operation [1]. No code execution or privilege escalation has been reported [1].
Mitigation
As of the publication date (2018-09-13) and the available references, TP-Link has not released a patched firmware version for either affected model [1]. Users should consider upgrading to a newer hardware revision or firmware version if available, or restrict LAN access to only trusted users to limit the attack surface. The device is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation on the JSON 'bandwidth' field allows a buffer overflow when writing to the wireless config file, crashing the inetd task."
Attack vector
An authenticated attacker sends an HTTP POST request to the router's `/stok=<token>/ds` endpoint with a JSON payload containing an excessively long string value for the `bandwidth` key under `wireless.wlan_host_2g` [ref_id=1]. The long value overflows the wireless module's config file buffer, which in turn crashes the `inetd` task [ref_id=1]. Since `inetd` manages multiple network services, this denial-of-service condition stops HTTP, DNS, and UPnP services [ref_id=1]. The attacker must first authenticate to the router using a valid password to obtain a `stok` token [ref_id=1].
Affected code
The vulnerability resides in the wireless configuration module of the TP-Link TL-WR886N firmware. The router's `inetd` task processes JSON data for the `wlan_host_2g` object, specifically the `bandwidth` key. No patch or source code is provided in the advisory, so the exact function names are not identified.
What the fix does
No patch is provided in the advisory. The researcher's report does not include a vendor fix or remediation guidance [ref_id=1]. To mitigate the issue, the router firmware should validate the length of JSON string values for wireless configuration parameters (such as `bandwidth`, `ssid`, and `channel`) before writing them to the config file, preventing buffer overflow and the subsequent crash of `inetd`.
Preconditions
- authAttacker must have valid credentials to authenticate to the router's web interface
- networkAttacker must be able to reach the router's HTTP management interface on the local network
- inputAttacker sends a crafted JSON payload with an oversized value for the 'bandwidth' key
Reproduction
The advisory includes a full Python proof-of-concept script [ref_id=1]. The attacker authenticates to the router at `http://192.168.1.1/` using the `security_encode` function to encode the password, obtains a `stok` token, then sends a POST request to `http://192.168.1.1/stok=<token>/ds` with a JSON body where `wireless.wlan_host_2g.bandwidth` is set to a string of `'A'` characters of length `int(1.5 * 1024 * 1204)` (approximately 1.5 MB) [ref_id=1]. The advisory notes that similar oversized values for `ssid` and `channel` keys also trigger the crash [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.