VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 22, 2022· Updated Sep 16, 2024

ASUS RT-AX88U - Format String

CVE-2022-26674

Description

ASUS RT-AX88U contains a format string vulnerability allowing unauthenticated remote attackers to execute arbitrary code or cause denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ASUS RT-AX88U contains a format string vulnerability allowing unauthenticated remote attackers to execute arbitrary code or cause denial of service.

Vulnerability

ASUS RT-AX88U routers running firmware versions prior to 3.0.0.4.386.4606 contain a format string vulnerability in the web management interface [1]. The flaw allows an attacker to supply arbitrary format specifiers in HTTP requests, leading to uncontrolled memory writes.

Exploitation

An unauthenticated attacker with network access to the router can exploit this vulnerability by sending a crafted HTTP request containing format string specifiers. No authentication or user interaction is required [1]. The attacker does not need any prior access privileges.

Impact

Successful exploitation enables an attacker to write to arbitrary memory addresses, leading to remote code execution with full system privileges. This can result in complete compromise of the device, including arbitrary system operations, data exfiltration, or denial of service [1].

Mitigation

ASUS has released firmware version 3.0.0.4.386.46065 to fix this vulnerability. Users should update their RT-AX88U to the latest firmware immediately. No known workarounds exist [1].

References
  1. ASUS RT-AX88U - Format String

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Asus/RT-AX88Ullm-fuzzy2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.