CVE-2026-26736
Published: 17 February 2026
Description
TOTOLINK A3002RU_V3 V3.0.0-B20220304.1804 was discovered to contain a stack-based buffer overflow via the static_ipv6 parameter in the formIpv6Setup function.
Mitigating Controls (NIST 800-53 r5)AI
Directly validates inputs like the static_ipv6 parameter to prevent stack-based buffer overflows in the formIpv6Setup function.
Provides memory protections such as stack canaries, ASLR, and DEP to mitigate exploitation of the stack-based buffer overflow vulnerability.
Mandates timely identification, reporting, and patching of the buffer overflow flaw in TOTOLINK A3002RU_V3 firmware.
Security SummaryAI
CVE-2026-26736 is a stack-based buffer overflow vulnerability (CWE-787, CWE-121) in the TOTOLINK A3002RU_V3 router firmware version V3.0.0-B20220304.1804. The issue resides in the formIpv6Setup function and is triggered by specially crafted input to the static_ipv6 parameter.
With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited remotely by an attacker possessing low privileges. Exploitation requires low complexity and no user interaction, enabling high-impact consequences including unauthorized access to sensitive data, modification of system behavior, and disruption of services, potentially leading to full remote code execution.
A proof-of-concept exploit is publicly available on GitHub at https://github.com/0xmania/cve/tree/main/TOTOLINK-A3002RUV3.0-boa-formIpv6Setup-StackOverflow. No vendor advisories or patches are referenced in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remotely exploitable stack-based buffer overflow in a public-facing router web interface (formIpv6Setup), enabling remote code execution with low privileges, directly mapping to exploitation of public-facing applications.