HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-12221Published Modified CNA VulDB

CVE-2026-12221: Yealink SIP-T46U Firmware Chunk Upload upgrade sprintf stack-based overflow

A vulnerability was found in Yealink SIP-T46U 108.86.0.118. This impacts the function sprintf of the file /api/upgrade/upgrade of the component Firmware Chunk Upload Handler. Performing a manipulation of the argument uid/start_offset results in stack-based buffer overflow. The attack needs to be approached within the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow affects the Firmware Chunk Upload Handler in Yealink SIP-T46U firmware version 108.86.0.118. The flaw is in the sprintf call processing the uid and start_offset arguments at the /api/upgrade/upgrade endpoint, reachable from within the local network by a low-privileged authenticated user. Successful exploitation gives an attacker full control over the affected device, including the ability to read, modify, or crash it. No vendor patch has been published; HarborGuard tracks the advisory and will make a patched rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-12221 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle this firmware version.

Available
Triage

Triage is available with CVSS v4.0 scoring at 8.6 (HIGH), weighted against each customer organization's compliance policy to determine priority and severity tier. HarborGuard routes the finding to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Yealink releases a corrected firmware version. In the interim, customers can apply compensating controls through HarborGuard's policy engine, including network-segment isolation and egress filtering recommendations surfaced alongside the finding.

Pending upstream

Exploit Conditions

  • Network reachabilityDetail

    The endpoint is reachable only from within the local network (LAN or equivalent adjacent segment), not directly from the public internet.

  • AuthenticationRequired

    The attacker must be authenticated with at least a low-privilege account on the device to reach the Firmware Chunk Upload Handler.

  • Victim interactionNot required

    No victim action is needed; the attacker triggers the overflow directly by sending a crafted request to the upgrade endpoint.

  • Attack complexityDetail

    Exploit conditions are reliable and free of special environmental requirements, making the overflow straightforward to trigger once network access and credentials are obtained.

Blast Radius

  • The attacker gains full read access to data stored on the device, including credentials, configuration, and session material.
  • The attacker can modify persisted device configuration or replace firmware, altering device behavior and potentially establishing persistence.
  • The attacker can crash the device or render it unresponsive, disrupting voice communications for users depending on it.
  • A proof-of-concept exploit is publicly available, lowering the skill bar required and increasing the likelihood of active exploitation attempts.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all customer images that include the affected Yealink SIP-T46U firmware version (108.86.0.118), with findings surfaced immediately after ingestion. Because Yealink has not published a patch, no automated rebuild is available yet. HarborGuard re-evaluates the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is published upstream; customers with auto-remediation enabled will then receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads. While no patch exists, the HarborGuard policy engine can surface compensating-control recommendations alongside the finding, including isolating affected devices to a dedicated VLAN, restricting lateral access from adjacent segments, and applying egress filtering to limit post-exploitation reach. The finding is routed to the appropriate team inbox based on each organization's configured ownership and compliance policy.

See how HarborGuard automates this
Affected packages
  • Yealink / SIP-T46U
    108.86.0.118
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
References