CVE-2026-12221
HIGH · 8.0 EPSS 0.4%Real vuln with public PoC and vendor silence, but early-stage chatter lacks defender confirmation or KEV listing.
What: Stack-based buffer overflow in Yealink SIP-T46U firmware upgrade handler (sprintf in /api/upgrade/upgrade) triggered via uid/start_offset manipulation. CVSS 8.0 HIGH. Local network attack only.
Why it matters: Public exploit available; vendor unresponsive to disclosure. However, KEV not yet listed, and attack surface is limited to local network access (requires proximity). Real vulnerability but constrained threat model — primarily relevant for organizations with untrusted internal networks or physical access risks.
Where it's seen: Same-day infosec aggregator chatter on Bluesky and X (Vulmon feeds). Posts cite NVD description verbatim; no independent PoC analysis or defender triage reports visible yet. Appears to be coordinated disclosure thread.
RISK: HIGH — Stack overflow on network device, vendor non-responsive, public exploit, but local-only attack surface.
Description
A vulnerability was found in Yealink SIP-T46U 108.86.0.118. This impacts the function sprintf of the file /api/upgrade/upgrade of the component Firmware Chunk Upload Handler. Performing a manipulation of the argument uid/start_offset results in stack-based buffer overflow. The attack needs to be approached within the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 3.1 breakdown
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H- Attack vector
- Adjacent network
- Complexity
- Low
- Privileges required
- Low
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High