CVE-2018-17011
Description
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for hosts_info para sun.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated attackers can crash TP-Link TL-WR886N router services by sending a long JSON value in the hosts_info parameter, causing a denial of service.
Vulnerability
An issue exists in the hosts_info module of TP-Link TL-WR886N routers running firmware versions 6.0 2.3.4 (hardware 6.0) and 1.1.0 (hardware 7.0). When an authenticated user sends an HTTP POST request containing an excessively long value for a specific JSON key in the hosts_info parameter, the router's configuration file handling overflows, corrupting the config data and crashing the inetd task [1].
Exploitation
An attacker must first authenticate to the router's web interface. After obtaining a valid session token (e.g., via the login endpoint), they craft a POST request to the hosts_info endpoint with a JSON payload where one of the key values is a long string (the POC uses a string of several hundred characters). This triggers the overflow when the router attempts to save the configuration, leading to the crash of inetd [1].
Impact
Successful exploitation causes the inetd process to terminate, which stops critical network services including HTTP (web interface), DNS, and UPnP. The router becomes unresponsive to management and certain network functions, resulting in a denial-of-service condition until the device is rebooted [1].
Mitigation
As of the publication date (2018-09-13), no official firmware patch has been released by TP-Link to address this vulnerability. Users should restrict administrative access to trusted networks only and monitor for future firmware updates. The affected devices may be end-of-life; if so, replacement with a supported model is recommended.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input-length validation on JSON `para` fields in the `hosts_info` module allows a buffer overflow when saving data to the config file."
Attack vector
An authenticated attacker sends an HTTP POST request to the router's `hosts_info` endpoint with an excessively long string value in one of the `para` JSON keys (e.g., `mon`, `tue`, `wed`, `thu`, `fri`, `sat`, or `sun`) [ref_id=1]. The long value overflows the internal buffer when the module saves data to the config file, corrupting the configuration and crashing the `inetd` task [ref_id=1]. Because `inetd` manages multiple network services, its crash stops HTTP, DNS, and UPnP, effectively denying service to legitimate users [ref_id=1]. The attacker must first authenticate (obtain a valid `stok` token) via the login endpoint [ref_id=1].
Affected code
The vulnerability resides in the `hosts_info` module of the TP-Link TL-WR886N firmware (version 1.1.0 on hardware v7.0, and version 2.3.4 on hardware v6.0). The module processes JSON data for the `para` sub-object when setting up host block plans via HTTP POST requests [ref_id=1]. No patch files are provided in the bundle.
What the fix does
No patch is included in the bundle. The advisory does not provide remediation guidance from the vendor [ref_id=1]. To close the vulnerability, the vendor would need to add input-length validation on the JSON `para` fields (e.g., `mon`, `tue`, `sun`) before writing them to the config file, ensuring that values cannot exceed the allocated buffer size and thus prevent the buffer overflow that crashes `inetd` [ref_id=1].
Preconditions
- authAttacker must be authenticated to the router (obtain a valid stok token via the login endpoint).
- networkAttacker must have network access to the router's HTTP management interface (typically on port 80).
- inputThe payload is a long string (e.g., ~1 MB of 'A' characters) placed in one of the hosts_info para JSON keys.
Reproduction
The PoC in [ref_id=1] provides reproduction steps. Authenticate to the router at `http://192.168.1.1/` using the `security_encode` function to derive the password hash. Obtain the `stok` token from the login response. Then send a POST request to `http://192.168.1.1/stok=
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.