CVE-2018-17018
Description
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for time_switch name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated attackers can crash multiple router services on TP-Link TL-WR886N by sending a long JSON value in the time_switch name parameter.
Vulnerability
An issue exists in the time_switch module of TP-Link TL-WR886N routers running firmware versions 2.3.4 (hardware 6.0) and 1.1.0 (hardware 7.0). Sending a long string value for the name key in the JSON payload of a time_switch configuration request causes a buffer overflow in the module's config file. This overflow can corrupt the configuration and, if the string is sufficiently long, crash the inetd task, which manages several network services [1].
Exploitation
An attacker must first authenticate to the router's web interface. Once authenticated, they send an HTTP POST request to the router with a crafted JSON payload containing an excessively long value for the name parameter in the time_switch object. The long string overflows the internal buffer, corrupting the configuration file and potentially causing the inetd process to crash [1].
Impact
A successful attack results in a denial of service (DoS) condition. The crash of inetd stops multiple network services, including HTTP (web interface), DNS, and UPnP. The router becomes unresponsive to management and network services until it is rebooted. No code execution or data disclosure is indicated [1].
Mitigation
No official fix or firmware update has been disclosed in the available reference [1]. Users should restrict access to the router's management interface to trusted networks and monitor TP-Link's support pages for future firmware releases that may address this issue.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation on the "name" field in the time_switch JSON handler allows a buffer overflow when the value is written to a config file."
Attack vector
An authenticated attacker sends an HTTP POST request to the router's JSON API endpoint (e.g., `/stok=<token>/ds`) with a crafted JSON payload for the `time_switch` module. The `name` field is set to a very long string (approximately 1.5 MB of 'A' characters in the PoC). When the time_switch module writes this oversized value to its config file, the buffer overflow corrupts the config data and, if the string is long enough, crashes the `inetd` task, which stops HTTP, DNS, and UPnP services [ref_id=1]. The attacker must first authenticate to obtain a valid `stok` token.
Affected code
The advisory [ref_id=1] does not specify exact source files or function names. The vulnerability resides in the time_switch module of the TP-Link TL-WR886N firmware (version 1.1.0 for hardware v7.0 and version 2.3.4 for hardware v6.0), which handles JSON POST requests containing a `time_switch` object with a `name` key. The module writes the user-supplied name value to a config file without length validation.
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] does not include a vendor fix or remediation guidance. To close this vulnerability, the vendor would need to add input length validation on the `name` field in the time_switch JSON handler before writing the value to the config file, ensuring the string cannot exceed the allocated buffer size.
Preconditions
- authAttacker must have valid credentials to authenticate to the router's web interface and obtain a stok token.
- networkAttacker must be able to reach the router's HTTP management interface on the local network.
- inputThe time_switch module must be accessible via the JSON API endpoint.
Reproduction
1. Authenticate to the router at `http://192.168.1.1/` with valid credentials to obtain a `stok` token. 2. Send a POST request to `http://192.168.1.1/stok=<token>/ds` with a JSON body containing a `time_switch` object where the `name` field is set to a string of approximately 1.5 million 'A' characters. 3. The router's inetd task will crash, stopping HTTP, DNS, and UPnP services [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.