High severity8.0NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-12221

Description

A vulnerability was found in Yealink SIP-T46U 108.86.0.118. This impacts the function sprintf of the file /api/upgrade/upgrade of the component Firmware Chunk Upload Handler. Performing a manipulation of the argument uid/start_offset results in stack-based buffer overflow. The attack needs to be approached within the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected products

Yealink/SIP-T46Ullm-fuzzy
Range: =108.86.0.118

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cdn2.v50to.cc/T46U/T46U_mod_upgrade_Upgrade_chunk_stack_overflow.zipnvd
vuldb.com/cve/CVE-2026-12221nvd
vuldb.com/submit/834207nvd
vuldb.com/vuln/370864nvd
vuldb.com/vuln/370864/ctinvd

News mentions

No linked articles in our index yet.

cvss	0.520
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000