CVE-2026-7219
Remote Buffer Overflow in Totolink N300RT /boafrm/formIpQoS
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | n300rt | to 3.4.0-b20250430 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-7219 vulnerability is a stack-based buffer overflow in the TOTOLINK N300RT router that can lead to denial of service or potentially remote code execution. This security flaw could compromise the confidentiality, integrity, and availability of the device and its data.
Such a vulnerability may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data through secure systems and timely mitigation of security risks. If exploited, this flaw could lead to unauthorized access or disruption of services, thereby violating requirements for data protection and system integrity.
However, specific impacts on compliance depend on the context of the device's use, the data it processes, and the implemented security controls and mitigations.
Can you explain this vulnerability to me?
CVE-2026-7219 is a stack-based buffer overflow vulnerability found in the TOTOLINK N300RT router's firmware version up to 3.4.0-B20250430. It exists in the /boafrm/formIpQoS endpoint of the boa web server.
An authenticated attacker can exploit this vulnerability by sending a specially crafted POST request containing an oversized "entry_name" parameter. This parameter is not properly validated for length and is copied insecurely using the unsafe strcpy function into a fixed-size buffer of 192 bytes on the stack.
Because the buffer is smaller than the input, the attacker can overflow it and overwrite the saved return address on the stack, which is located 324 bytes from the buffer's start. This allows the attacker to hijack the control flow of the program.
Exploitation requires authentication to obtain a valid session token and valid parameters to pass business logic checks. A proof-of-concept shows that sending 324 'A' characters followed by 'BBBB' causes the web server to crash, resulting in denial of service. Potentially, this overflow could be used for remote code execution.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated attacker to cause a denial of service (DoS) on your TOTOLINK N300RT router's web management interface, making it inaccessible.
Additionally, because the attacker can overwrite the return address on the stack, there is a potential risk of remote code execution (RCE), which could allow the attacker to execute arbitrary code on the device.
Such impacts could lead to loss of control over the router, disruption of network services, and potential compromise of the device and network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a crafted POST request to the /boafrm/formIpQoS endpoint of the TOTOLINK N300RT router's web server. The request should include an oversized "entry_name" parameter designed to overflow the buffer.
A proof-of-concept involves sending a POST request with 324 'A' characters followed by "BBBB" (0x42424242) in the "entry_name" field, which causes the web server to crash, indicating the presence of the vulnerability.
Since exploitation requires authentication, detection commands should include authentication tokens and valid ipStart and ipEnd parameters to pass business logic checks.
Example command using curl to test for the vulnerability (authentication and valid parameters required):
- curl -X POST "http://<router-ip>/boafrm/formIpQoS" -d "entry_name=$(python3 -c 'print("A"*324 + "BBBB")')&sessionCheck=<valid_token>&ipStart=<valid_ip>&ipEnd=<valid_ip>"
If the router's web management interface crashes or becomes inaccessible after this request, it indicates the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's web management interface to trusted users only, as exploitation requires authentication.
Avoid sending or accepting suspicious POST requests to the /boafrm/formIpQoS endpoint, especially those containing unusually long "entry_name" parameters.
Monitor the router for crashes or denial of service conditions that may indicate exploitation attempts.
Apply any available firmware updates or patches from the vendor that address this buffer overflow vulnerability.
If no patch is available, consider disabling the vulnerable service or limiting network exposure of the router's management interface until a fix is applied.