HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-12220Published Modified CNA VulDB

CVE-2026-12220: Yealink SIP-T46U Firmware Chunk Upload handler accupgradebychunk mod_upgrade.SparePartsUpload stack-based overflow

A vulnerability has been found in Yealink SIP-T46U 108.86.0.118. This affects the function mod_upgrade.SparePartsUpload of the file /api/upgrade/accupgradebychunk of the component Firmware Chunk Upload handler. Such manipulation of the argument uid leads to stack-based buffer overflow. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the Yealink SIP-T46U IP phone firmware (version 108.86.0.118), specifically in the firmware chunk upload handler at the /api/upgrade/accupgradebychunk endpoint, within the mod_upgrade.SparePartsUpload function. The vulnerability is reachable from adjacent networks (LAN, VPN, or similar local network segments) and requires a low-privilege account to exploit. Successful exploitation gives an attacker full control over the device, including the ability to read, modify, or disrupt its operation. No fix version has been published; HarborGuard is tracking the advisory and will make a patched rebuild available as soon as the upstream vendor ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-12220 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including VulDB within minutes of publication and matched against all customer images, including custom-built firmware derivative images that bundle Yealink SIP-T46U components. Any image in a customer registry or CI pipeline containing the affected firmware version (108.86.0.118) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 8.6 HIGH using the CVSS v4.0 vector and surfaces it with per-environment compliance policy weighting, so teams with stricter network-device policies see it prioritized accordingly. Triage findings are routed to the appropriate team inbox within each customer organization based on the image ownership and policy configuration.

Available
Patch

Because no fix version has been published by Yealink, HarborGuard re-checks the advisory on every ingest cycle and will make a patched image rebuild available the moment an upstream fix is released. In the meantime, customers can use HarborGuard advisory tracking to receive an immediate notification and trigger their auto-remediation workflow as soon as a patch becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be present on an adjacent network such as a LAN, VLAN, or VPN; the endpoint is not reachable from the open internet.

  • AuthenticationRequired

    A low-privilege account on the device is sufficient to reach the vulnerable endpoint; anonymous unauthenticated access is not enough.

  • Victim interactionNot required

    No user interaction is needed; the attacker can trigger the overflow by sending a crafted request directly to the firmware upload endpoint.

  • Attack complexityDetail

    Exploitation is reliable and condition-free with no race conditions or special environmental factors required (AC:L).

Blast Radius

  • Reads sensitive data stored on the device, including configuration files, SIP credentials, and call logs (VC:H).
  • Modifies device configuration and firmware state, enabling persistent backdoors or rerouting of SIP traffic (VI:H).
  • Crashes or fully disrupts the phone's operation, taking the device offline and denying voice service to its users (VA:H).
  • An attacker with control over a phone on an internal network segment can use it as a pivot point to probe other adjacent devices on the same LAN.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored with no upstream fix currently published. Because Yealink has not responded to the disclosure and no patched firmware version exists, HarborGuard re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix is released. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point. While no patch is available, recommended compensating controls include applying network-policy rules to isolate SIP-T46U devices to dedicated VLANs, blocking access to the /api/upgrade/ endpoint from untrusted internal segments via egress filtering or a local firewall policy, and disabling the firmware upgrade API feature if it is not operationally required. HarborGuard advisory tracking is available for all affected images so teams receive an immediate alert the moment upstream publishes a remediation.

See how HarborGuard automates this
Affected packages
  • Yealink / SIP-T46U
    108.86.0.118
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
References