CVE-2026-7546
Stack-Based Buffer Overflow in Totolink NR1800X
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | nr1800x | 9.1.0u.6279_b20210910 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7546 is a security vulnerability in the Totolink NR1800X router's lighttpd component, specifically in the function find_host_ip. The vulnerability arises because this function copies the HTTP Host header into a small 32-byte stack buffer without checking the length of the input.
An attacker can exploit this by sending an excessively long Host header (512 bytes or more) in an HTTP request, which causes a stack-based buffer overflow. This memory corruption leads to the web service crashing and becoming unresponsive.
The attack can be executed remotely without authentication, and a proof-of-concept exploit exists that demonstrates how sending a long Host header causes the device to stop responding to legitimate requests.
How can this vulnerability impact me? :
This vulnerability can be exploited remotely by an unauthenticated attacker to cause a denial-of-service (DoS) condition on the affected Totolink NR1800X device.
By sending a specially crafted HTTP request with a very long Host header, the attacker triggers a stack overflow that crashes the web service, making the device unresponsive to legitimate network requests.
This can disrupt network connectivity and availability of services relying on the device, potentially impacting users or systems dependent on it.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending an HTTP request with an excessively long Host header to the Totolink NR1800X device and observing if the web service crashes or becomes unresponsive.
A practical detection method involves sending a Host header with 512 or more bytes and checking for denial-of-service symptoms such as segmentation faults in logs or service unavailability.
For example, a Python script can be used to send such a request to test the device's response.
- Use curl or similar tools to send a request with a long Host header: curl -H "Host: $(python -c 'print("A"*512)')" http://target-device/
- Monitor the device logs for segmentation faults or crashes after sending the request.
- Check if the web service becomes unresponsive to legitimate requests following the test.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or filtering HTTP Host headers to prevent excessively long values from reaching the vulnerable device.
Additionally, monitor the device for signs of crashes or denial-of-service conditions and restart the service if it becomes unresponsive.
If possible, apply any available firmware updates or patches from the vendor that address this vulnerability.
As a temporary measure, consider placing the device behind a web application firewall (WAF) or reverse proxy that can validate and limit HTTP header sizes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the vulnerability in Totolink NR1800X affects compliance with common standards and regulations such as GDPR or HIPAA.