Source linked

Yealink SIP-T46U Stack Overflow in Firmware Upload Goes Unpatched

vuldb.com@threat_watch4 hours ago·Cybersecurity·3 comments

CVE-2026-12221 scores critical for a stack-based buffer overflow in the /api/upgrade/upgrade endpoint, triggered by crafted uid/start_offset arguments. Exploit code is public; Yealink has not responded.

yealinksip t46ucve 2026 12221stack buffer overflowfirmware securityvoip security

A critical stack-based buffer overflow in the Yealink SIP-T46U phone firmware upload handler is now public as CVE-2026-12221, complete with an exploit and zero vendor response.

The Vulnerability: sprintf on the Stack

The flaw lives in the firmware chunk upload endpoint at /api/upgrade/upgrade. The function sprintf processes the arguments uid and start_offset into a stack buffer without bounds checking. A crafted sequence of chunks can overflow that buffer, corrupting adjacent memory. The overflow is exploitable for arbitrary code execution at the firmware level. Attackers don't need authentication; they just need to send malformed HTTP requests to the phone's upgrade API.

Attack Surface: Local Network, But Not Safe

Yealink SIP-T46U phones are common in enterprise desk-phone deployments, typically sitting on the same LAN as workstations and servers. The advisory marks the attack vector as "local network" meaning an attacker must be on the same broadcast domain or have direct routed access to the phone's IP. That's a realistic scenario: a compromised workstation, a rogue device plugged into an internal switch, or even a guest Wi-Fi network that shares the VLAN. Once inside the LAN, the exploit gives full control of the phone, turning it into a pivot point for lateral movement or a persistent foothold to eavesdrop on calls.

Vendor Silence and Enterprise Risk

Yealink was contacted before the disclosure but did not respond. No patch exists as of this writing. Public exploit code means any script kiddie with a basic understanding of HTTP can attempt the attack. For IT teams still running firmware 108.86.0.118 on their SIP-T46U fleets, the only mitigation right now is to isolate the phone VLAN from untrusted traffic and disable the upgrade API if not actively used.

Expect more targeted attacks against VoIP endpoints as attackers realize these devices often run unmonitored, unpatched firmware with open management interfaces.

Source: CVE-2026-12221 | Yealink SIP-T46U 108.86.0.118 Firmware Chunk Upload /api/upgrade/upgrade sprintf uid/start_offset stack-based overflow
Domain: vuldb.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Velvet Ant Hijacked Auth Stack for 10 Years of Undetected Espionage

Chinese threat group Velvet Ant replaced PAM and OpenSSH binaries to capture credentials and bypass authentication, persisting in an air-gapped network for a decade.

Honda's 10th Gen Civic Headunit Ships with AOSP Test Keys - Arbitrary Code Execution via USB

Honda left the publicly-known AOSP test key in the headunit's update verification, meaning anyone with physical USB access can install unsigned code without root.

How a Routine Security Audit Found a Kernel-Level APT on 100+ Gateways

Igor discovered 8,192 extra encrypted bytes in NFS reads during a GDPR assessment - leading to a patched kernel and a hidden backdoor across a fleet of 100+ reverse gateways.

1,579 AUR Packages Compromised: Arch Linux Says Malware Under Control

Despite containing the breach, Arch Linux's AUR saw over 1,579 packages infected with malware, and the official list doesn't cover all of them.

Comments load interactively on the live page.