CVE-2026-1158

CVE-2026-1158 is a buffer overflow vulnerability affecting the Totolink LR350 router running firmware version 9.3.5u.6369_B20220309. The flaw resides in the setWizardCfg function within the /cgi-bin/cstecgi.cgi file, part of the POST Request Handler component. By manipulating the 'ssid' argument in a POST request, an attacker can trigger the buffer overflow, as documented with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-19.

The vulnerability can be exploited remotely by an attacker with low privileges, such as an authenticated user on the device. Exploitation requires network access and low attack complexity with no user interaction needed. Successful exploitation leads to high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data theft, or full device compromise. A public exploit has been released, increasing the risk of real-world attacks.

Advisories and details are available through references including VulDB entries (vuldb.com/?ctiid.341752, vuldb.com/?id.341752, vuldb.com/?submit.735728), a technical write-up at lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWizardCfg-2e453a41781f80ce89cfc1d25049e279, and the vendor site at totolink.net. No specific patch or mitigation details are outlined in the core vulnerability data, but practitioners should consult these sources for firmware updates or workarounds.

Notable context includes the public availability of an exploit, heightening the urgency for affected devices to be patched or isolated. No AI/ML relevance is indicated.