Executive Summary

CVE-2026-36837 is a stack-based buffer overflow vulnerability found in the TOTOLINK A3002RUV3.0 router's boa service interface, specifically in versions up to and including V3.0.0-B20220304.1804.

The vulnerability occurs because the formMapDelDevice function does not properly validate the hostname parameter. An authenticated attacker can send a specially crafted request that exploits the unsafe use of the strcpy function, causing a stack overflow.

This overflow can lead to arbitrary code execution or cause a denial of service condition on the affected device.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is a stack-based buffer overflow found in TOTOLINK A3002RU V3 firmware versions up to V3.0.0-B20220304.1804. It occurs via the hostname parameter in the formMapDelDevice function.

Useful 0 Not Useful 0

Impact Analysis

A stack-based buffer overflow can allow an attacker to execute arbitrary code, cause a denial of service, or crash the device. Exploiting this vulnerability could compromise the security and stability of the affected device.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited remotely by authenticated users to cause a denial of service or execute arbitrary code on the affected TOTOLINK A3002RUV3.0 router.

The impact includes potential disruption of network services due to device crashes or the attacker gaining control over the device, which could lead to further compromise of the network.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for specially crafted requests to the formMapDelDevice function on the TOTOLINK A3002RUV3.0 router's boa service interface, specifically those containing unusual or oversized hostname parameters.

Since the vulnerability involves a stack-based buffer overflow triggered by the hostname parameter, detection can involve inspecting HTTP requests to the router for suspicious payloads targeting this parameter.

Commands to detect such activity might include using network traffic analysis tools like tcpdump or Wireshark to capture HTTP requests to the router's management interface and filtering for requests containing the formMapDelDevice endpoint.

• tcpdump -i <interface> -A 'tcp port 80 and (((ip dst <router_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354))' | grep formMapDelDevice
• Use curl or similar tools to test the endpoint with benign and suspicious hostname parameters to observe router behavior.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the router's management interface to trusted networks or IP addresses to prevent unauthorized or authenticated attackers from exploiting the vulnerability remotely.

Additionally, monitor and block suspicious requests targeting the formMapDelDevice function, especially those with unusual or oversized hostname parameters.

If possible, update the router firmware to a version that addresses this vulnerability once it becomes available from the vendor.

Until a patch is available, consider disabling remote management features or services that expose the vulnerable interface.

Useful 0 Not Useful 0