CVE-2026-36837
Stack-Based Buffer Overflow in TOTOLINK A3002RU Router
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a3002ru | to v3.0.0-b20220304.1804 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-36837 is a stack-based buffer overflow vulnerability found in the TOTOLINK A3002RUV3.0 router's boa service interface, specifically in versions up to and including V3.0.0-B20220304.1804.
The vulnerability occurs because the formMapDelDevice function does not properly validate the hostname parameter. An authenticated attacker can send a specially crafted request that exploits the unsafe use of the strcpy function, causing a stack overflow.
This overflow can lead to arbitrary code execution or cause a denial of service condition on the affected device.
Can you explain this vulnerability to me?
This vulnerability is a stack-based buffer overflow found in TOTOLINK A3002RU V3 firmware versions up to V3.0.0-B20220304.1804. It occurs via the hostname parameter in the formMapDelDevice function.
How can this vulnerability impact me? :
A stack-based buffer overflow can allow an attacker to execute arbitrary code, cause a denial of service, or crash the device. Exploiting this vulnerability could compromise the security and stability of the affected device.
How can this vulnerability impact me? :
This vulnerability can be exploited remotely by authenticated users to cause a denial of service or execute arbitrary code on the affected TOTOLINK A3002RUV3.0 router.
The impact includes potential disruption of network services due to device crashes or the attacker gaining control over the device, which could lead to further compromise of the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for specially crafted requests to the formMapDelDevice function on the TOTOLINK A3002RUV3.0 router's boa service interface, specifically those containing unusual or oversized hostname parameters.
Since the vulnerability involves a stack-based buffer overflow triggered by the hostname parameter, detection can involve inspecting HTTP requests to the router for suspicious payloads targeting this parameter.
Commands to detect such activity might include using network traffic analysis tools like tcpdump or Wireshark to capture HTTP requests to the router's management interface and filtering for requests containing the formMapDelDevice endpoint.
- tcpdump -i <interface> -A 'tcp port 80 and (((ip dst <router_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354))' | grep formMapDelDevice
- Use curl or similar tools to test the endpoint with benign and suspicious hostname parameters to observe router behavior.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's management interface to trusted networks or IP addresses to prevent unauthorized or authenticated attackers from exploiting the vulnerability remotely.
Additionally, monitor and block suspicious requests targeting the formMapDelDevice function, especially those with unusual or oversized hostname parameters.
If possible, update the router firmware to a version that addresses this vulnerability once it becomes available from the vendor.
Until a patch is available, consider disabling remote management features or services that expose the vulnerable interface.