CVE-2018-17012
Description
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for hosts_info set_block_flag up_limit.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated attackers can crash router services on TP-Link TL-WR886N by sending a long JSON value for hosts_info set_block_flag up_limit.
Vulnerability
An issue exists in the hosts_info module of TP-Link TL-WR886N firmware versions 6.0 2.3.4 and 7.0 1.1.0. An authenticated attacker can send a crafted HTTP POST request with an excessively long JSON value for the set_block_flag up_limit parameter. This causes a buffer overflow that corrupts the module's configuration file and crashes the inetd task, which manages essential network services like HTTP, DNS, and UPnP [1].
Exploitation
The attacker must be authenticated to the router. Using the credentials, they can issue a POST request to the / endpoint with a JSON payload containing a very long string in the up_limit field. The reference provides a proof-of-concept that demonstrates the overflow, which inevitably leads to the termination of the inetd process [1]. No user interaction beyond authentication is required.
Impact
A successful attack results in a denial-of-service (DoS) condition: the router's network services (HTTP, DNS, UPnP) become unresponsive, effectively disabling the router's management interface and network functionality. The device may need to be rebooted to restore services. No code execution or data leakage is reported.
Mitigation
The vendor has not released a firmware update addressing this vulnerability as of the publication date. Users are advised to restrict access to the router's administration interface to trusted networks and consider upgrading to a newer model if available. No workaround is documented in the references [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation on the `up_limit` JSON field in the `hosts_info` module causes a buffer overflow when a long string is supplied."
Attack vector
An authenticated attacker sends an HTTP POST request to the router's `/stok=
Affected code
The vulnerability resides in the `hosts_info` module's `set_block_flag` handler, specifically in the processing of the `up_limit` JSON key. The advisory identifies that sending an overly long string value for this key overflows and corrupts the module's config file, and can crash the `inetd` task [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a fix or remediation guidance from the vendor [ref_id=1]. Without a published patch, the recommended mitigation would be to restrict input length for the `up_limit` JSON field in the `hosts_info` module.
Preconditions
- authAttacker must be authenticated to the router's web interface
- networkAttacker must be able to send HTTP POST requests to the router's management interface (typically LAN-side)
- inputThe `up_limit` field in the JSON payload must contain a string of approximately 1.5 MB or larger
Reproduction
The advisory includes a full Python PoC [ref_id=1]. After authenticating with the router's password, send a POST request to `http://192.168.1.1/stok=
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.