Description
A vulnerability was found in Yealink SIP-T46U 108.86.0.118. This impacts the function sprintf of the file /api/upgrade/upgrade of the component Firmware Chunk Upload Handler. Performing a manipulation of the argument uid/start_offset results in stack-based buffer overflow. The attack needs to be approached within the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-15
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow flaw exists in the sprintf routine used by the Firmware Chunk Upload Handler on the Yealink SIP‑T46U. This weakness, a classic out‑of‑bounds write (CWE‑119) and stack‑based buffer overrun (CWE‑121), occurs when an attacker manipulates the uid and start_offset parameters in the /api/upgrade/upgrade endpoint. The resulting stack corruption can allow a local attacker to execute arbitrary code.

Affected Systems

Yealink SIP‑T46U devices running firmware version 108.86.0.118 are affected; no other versions are listed by the CNA.

Risk and Exploitability

The CVSS score of 8.6 reflects a high severity. EPSS data is unavailable, and the vulnerability is not in the CISA KEV list, yet an exploit is publicly available. Attackers must be within the local network to reach the vulnerable /api/upgrade/upgrade endpoint, but once accessed, the vulnerability can be triggered with crafted input.

Generated by OpenCVE AI on June 15, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the /api/upgrade/upgrade endpoint to a narrow set of trusted management IP addresses or a dedicated VLAN, limiting the attack surface for the vulnerable input handling.
  • If firmware upgrades are not required, disable or remove the upgrade service, or place the device behind an internal firewall that blocks the upgrade interface entirely.
  • When a vendor‑available patch or newer firmware release appears, perform the upgrade to eliminate the flawed code path.

Generated by OpenCVE AI on June 15, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Yealink SIP-T46U 108.86.0.118. This impacts the function sprintf of the file /api/upgrade/upgrade of the component Firmware Chunk Upload Handler. Performing a manipulation of the argument uid/start_offset results in stack-based buffer overflow. The attack needs to be approached within the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Yealink SIP-T46U Firmware Chunk Upload upgrade sprintf stack-based overflow
First Time appeared Yealink
Yealink sip-t46u
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*
Vendors & Products Yealink
Yealink sip-t46u
References
Metrics cvssV2_0

{'score': 7.7, 'vector': 'AV:A/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yealink Sip-t46u
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T05:00:10.661Z

Reserved: 2026-06-14T13:54:18.805Z

Link: CVE-2026-12221

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T06:16:24.263

Modified: 2026-06-15T06:16:24.263

Link: CVE-2026-12221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T09:30:03Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-121

    Stack-based Buffer Overflow