Description
TOTOLINK A3002RU V3 <= V3.0.0-B20220304.1804 was discovered to contain a stack-based buffer overflow via the hostname parameter in the formMapDelDevice function.
Published: 2026-04-29
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack-based buffer overflow was discovered in the formMapDelDevice function of TOTOLINK A3002RU routers, caused by an unsanitized hostname parameter. When the overflow is triggered, the device's stack memory can be corrupted, potentially allowing an attacker to execute arbitrary code or cause a denial of service. The flaw maps to CWE-121.

Affected Systems

The vulnerability affects TOTOLINK A3002RU routers running firmware version 3.0.0 or earlier, specifically up to B20220304.1804. No other vendor or product variations are listed.

Risk and Exploitability

The vulnerability has no publicly available EPSS score and is not listed in the CISA KEV catalog, yet the remote nature of the buffer overflow suggests a high likelihood of exploitation once a feasible attack vector is found. Attackers would need network access to the router's administration interface, likely via HTTP or a web‑based API that accepts hostname input. Given the severity of a stack overflow and the absence of mitigation details, the risk remains high until a fixed firmware release is deployed.

Generated by OpenCVE AI on April 29, 2026 at 17:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router to the latest firmware version that addresses the stack overflow.
  • If a firmware update is not yet available, restrict external access to the router’s administrative interface or place the device behind a firewall that blocks inbound traffic to the web port.
  • Monitor and log requests to the formMapDelDevice endpoint, and block any attempts that include overly long or malformed hostname parameters.

Generated by OpenCVE AI on April 29, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Title Stack Overflow via Hostname Parameter in TOTOLINK A3002RU formMapDelDevice

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-121
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Description TOTOLINK A3002RU V3 <= V3.0.0-B20220304.1804 was discovered to contain a stack-based buffer overflow via the hostname parameter in the formMapDelDevice function.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-29T15:14:43.274Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36837

cve-icon Vulnrichment

Updated: 2026-04-29T15:14:37.875Z

cve-icon NVD

Status : Deferred

Published: 2026-04-29T15:16:05.530

Modified: 2026-04-29T21:22:20.120

Link: CVE-2026-36837

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:15:16Z

Weaknesses