CVE-2018-17013
Description
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for protocol wan wan_rate.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated attackers can crash TP-Link TL-WR886N router services by sending a long JSON value for the wan_rate parameter.
Vulnerability
An issue exists in the TP-Link TL-WR886N firmware versions 6.0 2.3.4 and 7.0 1.1.0. The protocol module that handles WAN configuration via HTTP POST requests does not properly validate the length of the wan_rate parameter in JSON data. Sending an excessively long value causes a buffer overflow, corrupting the configuration file and crashing the inetd task [1].
Exploitation
An attacker must be authenticated to the router's web interface. After obtaining valid credentials, the attacker sends an HTTP POST request to the management interface with a JSON payload containing a very long string for the wan_rate key. The overflow triggers a crash of inetd, which stops essential network services [1].
Impact
Successful exploitation results in a denial of service (DoS). The crash of inetd disables critical services such as HTTP (web interface), DNS, and UPnP, rendering the router's network functions unavailable until a reboot [1].
Mitigation
No official fix has been disclosed in the available references [1]. Users are advised to monitor TP-Link's support page for firmware updates. As a temporary workaround, restrict management access to trusted hosts only.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation on the `wan_rate` JSON field causes a buffer overflow when a long value is written to the protocol module's config file."
Attack vector
An authenticated attacker sends an HTTP POST request to the router's `/ds` endpoint with a JSON payload containing an excessively long string value for the `protocol.wan.wan_rate` key [ref_id=1]. The router's protocol module copies this value into a config file without bounds checking, causing a buffer overflow that corrupts memory and crashes the `inetd` task [ref_id=1]. Since `inetd` manages HTTP, DNS, and UPnP services, all of these become unavailable, resulting in a denial-of-service condition [ref_id=1]. The attacker must first authenticate by obtaining a valid `stok` token via the login endpoint [ref_id=1].
Affected code
The vulnerability exists in the protocol module of TP-Link TL-WR886N firmware version 1.1.0 (hardware version 7.0) [ref_id=1]. The module processes JSON data from HTTP POST requests and saves parameters to a config file without validating the length of the `wan_rate` field [ref_id=1]. The advisory does not specify the exact source file or function name.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide a fix or indicate that TP-Link released a firmware update. To remediate this vulnerability, the router firmware should enforce a maximum length on the `wan_rate` (and other JSON string fields) before writing them to the config file, preventing the buffer overflow.
Preconditions
- networkAttacker must be able to reach the router's web interface (typically on the local network at 192.168.1.1)
- authAttacker must authenticate with a valid password to obtain a stok token
- inputThe HTTP POST request must include a JSON payload with an overly long string value for the wan_rate field
Reproduction
1. Authenticate to the router at `http://192.168.1.1/` and obtain a valid `stok` token using the provided `security_encode` and `get_token` functions [ref_id=1]. 2. Send a POST request to `http://192.168.1.1/stok=<token>/ds` with a JSON body where `protocol.wan.wan_rate` is set to a string of approximately 1 MB (e.g., `'A' * 1024 * 1024`) [ref_id=1]. 3. The router's `inetd` task crashes, stopping HTTP, DNS, and UPnP services [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.