CVE-2021-31642
Description
A denial of service condition exists after an integer overflow in several IoT devices from CHIYU Technology, including BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC. The vulnerability can be explored by sending an unexpected integer (> 32 bits) on the page parameter that will crash the web portal and making it unavailable until a reboot of the device.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in CHIYU IoT devices' web portal allows unauthenticated remote DoS via oversized page parameter.
Vulnerability
An integer overflow exists in the page parameter of the web portal on several CHIYU Technology IoT devices, including BIOSENSE, Webpass, BF-630, BF-631, and SEMAC. Sending an integer larger than 32 bits triggers the overflow, crashing the portal. Affected firmware versions are not specified in the available references [1][3].
Exploitation
An unauthenticated attacker can exploit this remotely by sending a crafted HTTP request with a page value exceeding 32 bits. No user interaction or special privileges are required. The crash renders the web portal unavailable until a device reboot [3].
Impact
Successful exploitation causes a denial of service condition: the web management interface becomes unresponsive. The device continues to operate but cannot be managed via the web portal until rebooted. This impacts availability of the management functionality [1][3].
Mitigation
No official firmware update or workaround is disclosed in the referenced sources [1][3]. Restricting network access to the web portal to trusted hosts can reduce exposure. Users should monitor the vendor's website for future patches.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- CHIYU Technology/IoT devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Integer overflow in the handling of the page parameter in if.cgi allows an attacker-supplied value exceeding 32 bits to cause a crash."
Attack vector
An attacker sends an HTTP request to the if.cgi component with a page parameter set to an integer larger than 32 bits (e.g., 2781000). The web portal processes this value without bounds checking, triggering an integer overflow that crashes the web portal. The device becomes unavailable until a manual reboot is performed. No authentication is required beyond the prerequisite of network access to the device's web interface [ref_id=1].
Affected code
The vulnerable component is if.cgi, specifically the handling of the page parameter [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory states that "the latest version of the CHIYU firmware should be installed to mitigate this vulnerability" [ref_id=1]. A proper fix would involve adding input validation on the page parameter to reject values that exceed the expected 32-bit integer range, preventing the overflow condition.
Preconditions
- networkNetwork access to the device's web interface
- authNo authentication required
Reproduction
Send the following HTTP request to the target device: `if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000`. After the request, the web portal becomes unavailable until the device is rebooted [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- packetstormsecurity.com/files/162934/CHIYU-IoT-Denial-Of-Service.htmlmitrex_refsource_MISC
- gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devicesmitrex_refsource_MISC
- seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks/mitrex_refsource_MISC
- www.chiyu-tech.com/msg/message-Firmware-update-87.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.